Data Protection. 22.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor. 22.2 The Supplier shall: 22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term); 22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body; 22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; 22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data; 22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services; 22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection); 22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority; 22.2.8 notify the Authority within five (5) Working Days if it receives: (a) a request from a Data Subject to have access to that person's Personal Data; or (b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation; 22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by: (a) providing the Authority with full details of the complaint or request; (b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions; (c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and (d) providing the Authority with any information requested by the Authority; 22.2.10 The Supplier shall: (a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement; (b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and (c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with: (i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and (ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned. 22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 41 contracts
Samples: Framework Agreement, Framework Agreement for the Supply of Locum Doctors, Framework Agreement for the Supply of Locum Doctors
Data Protection.
22.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Goods and Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Supplier Staff who have access to the Personal Data;
22.2.5 obtain prior Approval written consent from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Goods and Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)22;
22.2.7 ensure that none of Supplier’s Supplier Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) 22.2.10.1 permit the Authority or the Authority’s Authority Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Sub- Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) 22.2.10.2 provide a written description of the technical and organisational methods employed by the Supplier for Processing processing Personal Data (within the timescales required by the Authority); and
(c) 22.2.10.3 not cause or permit to be Processed processed and/or otherwise transferred outside the European UK[European Economic Area Area] any Personal Data supplied to it by the Authority or any Other other Contracting Body without the prior written Approval consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) 22.2.10.3.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) 22.2.10.3.2 any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 17 contracts
Samples: It Hardware and Solutions Framework Agreement, It Hardware and Solutions Framework Agreement, It Hardware and Solutions Framework Agreement
Data Protection. 22.1 23.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 23.2 The Supplier shall:
22.2.1 Process 23.2.1 process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process 23.2.2 process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Available Goods and Services or as is required by Law or any Regulatory Body;
22.2.3 23.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 23.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Supplier Staff who have access to the Personal Data;
22.2.5 23.2.5 obtain prior Approval written consent from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Available Goods and Services;
22.2.6 23.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)23;
22.2.7 23.2.7 ensure that none of Supplier’s Supplier Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 23.2.8 notify the Authority within five (5) Working Days if it receives:
(a) 23.2.8.1 a request from a Data Subject to have access to that person's Personal Data; or
(b) 23.2.8.2 a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 23.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) 23.2.9.1 providing the Authority with full details of the complaint or request;
(b) 23.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) 23.2.9.3 providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) 23.2.9.4 providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) 23.2.9.5 permit the Authority or the Authority’s Authority Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 10 contracts
Samples: Goods and Services Framework Agreement, Goods and Services Framework Agreement, Goods and Services Framework Agreement
Data Protection. 22.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Supplier Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates Affiliated Company for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)22;
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 6 contracts
Samples: Courier Services Framework Agreement, Courier Services Framework Agreement, Courier Services Framework Agreement
Data Protection. 22.1 With respect to the Parties' rights and obligations under 27.1 In this Framework Agreementclause 27, the terms, “processes”, “data controller” and “data processor” shall have the same meanings given to them under Data Protection Legislation.
27.2 The Parties agree acknowledge that for the purposes of Data Protection Legislation, UKRI is the data controller and the Service Provider is the data processor of any UKRI Personal Data.
27.3 The Service Provider shall itself, and shall procure that the Authority is the Staff, comply with all Data Controller and that the Supplier is the Protection Legislation in relation to any Personal Data Processorprocessed.
22.2 The Supplier shall:27.4 Without limiting clauses 27.2 and 27.3, the Service Provider shall at all times (and shall ensure that at all times its Staff):
22.2.1 Process the (a) process Personal Data only in accordance with the documented instructions received from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier UKRI and during the Term)Term of this Contract the Service Provider shall immediately inform UKRI if, in the Service Provider’s opinion, an instruction from UKRI infringes the Data Protection Legislation or any other applicable Law;
22.2.2 Process (b) ensure that any person to whom it provides the Personal Data is subject to appropriate confidentiality obligations;
(c) have in place a suitably qualified data protection representative to manage the Personal Data;
(d) disclose any Personal Data only on a need to the extent, and in such manner, as it necessary for know basis to Staff directly concerned with the provision of the Services or as is required by Law or any Regulatory BodyServices;
22.2.3 implement (e) not transfer or direct the transfer of any Personal Data to any third party or process or direct the processing of Personal Data outside of the European Economic Area in each case without UKRI’s prior written consent (which consent may be subject to conditions as directed by XXXX);
(f) keep all Personal Data confidential, and have in place now and shall on a continuing basis take all reasonable appropriate technical and organisational measures to protect the keep all Personal Data confidential and secure and to protect against unauthorised or unlawful Processing and against processing, accidental loss, destruction, damage, alteration alteration, disclosure or disclosure. These measures shall access;
(g) keep records of their data processing activities performed under this Contract in order to be appropriate able to provide information included in those records to the harm which might result from any unauthorised or unlawful Processingdata protection authorities, accidental lossupon request, destruction or damage including but not limited to the Personal Data and having regard to the nature Information Commissioner. Records should include:
(i) details of the Personal Data which is to be protecteddata controller and data processor and their representatives;
22.2.4 take all reasonable steps to ensure (ii) the reliability categories of any Supplier’s Staff who have access processing activities that are performed;
(iii) information regarding cross-border data transfers; and
(iv) a general description of the security measures that are implemented;
(h) upon request by UKRI, promptly do such other acts in relation to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order , or any part thereof, as UKRI shall request to transfer the Personal Data enable UKRI to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's its obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation (i) notify UKRI promptly (and assistance in relation to any at least within 24 hours) if it receives a request from a Data Subject or a complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation relating to a Data Subject (within the timescales and promptly provide UKRI with all such data, information, cooperation and assistance as is required by UKRI in order to respond to and resolve the Authorityrequest or complaint within any applicable time frames;
(j) provide such information and allow for and contribute to audits, including inspections, conducted by UKRI or an auditor mandated by UKRI, as is reasonably necessary to enable UKRI to satisfy itself of the Service Provider’s compliance with this clause 27 and the Data Protection Legislation;
(k) on termination or expiry of this Contract, and at any other time on UKRI’s request, either return or destroy (as elected by UKRI) the Personal Data (including all copies of it) and confirm in writing that it has complied with this obligation; and
(dl) providing notify UKRI without undue delay on becoming aware of any Personal Data Breach and promptly following notification, provide such data, information and assistance as is required by UKRI in order for UKRI to notify the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject Personal Data Breach to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (Information Commissioner and/or those of its agents, subsidiaries and Sub-ContractorsData Subject(s) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with otherwise fulfil its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 6 contracts
Samples: Facilities Management Services Contract, Facilities Management Services Contract, Facilities Management Services Contract
Data Protection. 22.1 With respect 15.2.1 The Parties acknowledge their respective duties under the DPA and shall give all reasonable assistance to each other where appropriate or necessary to comply with such duties.
15.2.2 To the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and extent that the Supplier is acting as a Data Processor on behalf of the Data Processor.
22.2 The Company, the Supplier shall, in particular, but without limitation:
22.2.1 Process the (a) only process such Personal Data and/or Sensitive Personal Data as is necessary to perform its obligations under this Agreement, and only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified any instruction given by the Authority to the Supplier during the Term)Company under this Agreement;
22.2.2 Process the Personal Data only to the extent, and (b) put in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement place appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processingprocessing of such Personal Data and/or Sensitive Personal Data, and against the accidental loss, loss or destruction of or damage to the such Personal Data and and/or Sensitive Personal Data having regard to the nature specific requirements in this Agreement, the state of technical development and the level of harm that may be suffered by a Data Subject whose Personal Data which and/or Sensitive Personal Data is to be protectedaffected by such unauthorised or unlawful processing or by its loss, damage or destruction;
22.2.4 (c) take all reasonable steps to ensure the reliability of staff who will have access to such Personal Data and/or Sensitive Personal Data, and ensure that such staff are properly trained in protecting Personal Data and Sensitive Data;
(d) provide the Company with such information as the Company may reasonably require to satisfy itself that the Supplier is complying with its obligations under the DPA;
(e) promptly notify the Company of any Supplier’s Staff who have requests for disclosure of or access to the Personal Data and/or Sensitive Personal Data;
22.2.5 obtain prior Approval from (f) promptly notify the Authority in order to transfer the Personal Data to Company of any Sub-Contractors or Affiliates for the provision breach of the Servicessecurity measures required to be put in place pursuant to this clause 15.2.2;
22.2.6 (g) ensure it does not knowingly or negligently do or omit to do anything which places the Company in breach of its obligations under the DPA;
(h) to the extent that any Company data is held and/or processed by the Supplier, the Supplier shall supply that Company data to the Company as requested by the Company.
(i) ensure that all it is registered under the DPA and the registration covers any processing required under this Agreement.
15.2.3 The Supplier Staff required to access and the Personal Data are informed of the confidential nature of the Company shall ensure that Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Sensitive Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and is safeguarded at all times in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedlaw.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 5 contracts
Samples: Vendor and Supplier Contracts, Services Agreements, Services Agreement
Data Protection. 22.1 With respect to the Parties' rights and obligations under 27.1 In this Framework Agreementclause 27, the terms, “processes”, “data controller” and “data processor” shall have the same meanings given to them under Data Protection Legislation.
27.2 The Parties agree acknowledge that for the Authority purposes of Data Protection Legislation, UKRI is the Data Controller data controller and that the Supplier is the Data Processordata processor of any UKRI Personal Data.
22.2 27.3 The Supplier shall:shall itself, and shall procure that the Staff, comply with all Data Protection Legislation in relation to any Personal Data processed.
22.2.1 Process 27.4 Without limiting clauses 27.2 and 27.3, the Supplier shall at all times (and shall ensure that at all times its Staff):
(a) process Personal Data only in accordance with the documented instructions received from UKRI and during the Authority (which may be specific instructions or instructions Term of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to Contract the Supplier during shall immediately inform UKRI if, in the Term)Supplier’s opinion, an instruction from UKRI infringes the Data Protection Legislation or any other applicable Law;
22.2.2 Process (b) ensure that any person to whom it provides the Personal Data is subject to appropriate confidentiality obligations;
(c) have in place a suitably qualified data protection representative to manage the Personal Data;
(d) disclose any Personal Data only on a need to the extent, and in such manner, as it necessary for know basis to Staff directly concerned with the provision of the Services or as is required by Law or any Regulatory BodyGoods and/or Services;
22.2.3 implement (e) not transfer or direct the transfer of any Personal Data to any third party or process or direct the processing of Personal Data outside of the European Economic Area in each case without UKRI’s prior written consent (which consent may be subject to conditions as directed by XXXX);
(f) keep all Personal Data confidential, and have in place now and shall on a continuing basis take all reasonable appropriate technical and organisational measures to protect the keep all Personal Data confidential and secure and to protect against unauthorised or unlawful Processing and against processing, accidental loss, destruction, damage, alteration alteration, disclosure or disclosure. These measures shall access;
(g) keep records of their data processing activities performed under this Contract in order to be appropriate able to provide information included in those records to the harm which might result from any unauthorised or unlawful Processingdata protection authorities, accidental lossupon request, destruction or damage including but not limited to the Personal Data and having regard to the nature Information Commissioner. Records should include:
(i) details of the Personal Data which is to be protecteddata controller and data processor and their representatives;
22.2.4 take all reasonable steps to ensure (ii) the reliability categories of any Supplier’s Staff who have access processing activities that are performed;
(iii) information regarding cross-border data transfers; and
(iv) a general description of the security measures that are implemented;
(h) upon request by UKRI, promptly do such other acts in relation to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order , or any part thereof, as UKRI shall request to transfer the Personal Data enable UKRI to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's its obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation (i) notify UKRI promptly (and assistance in relation to any at least within 24 hours) if it receives a request from a Data Subject or a complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation relating to a Data Subject (within the timescales and promptly provide UKRI with all such data, information, cooperation and assistance as is required by UKRI in order to respond to and resolve the Authorityrequest or complaint within any applicable time frames;
(j) provide such information and allow for and contribute to audits, including inspections, conducted by UKRI or an auditor mandated by UKRI, as is reasonably necessary to enable UKRI to satisfy itself of the Supplier’s compliance with this clause 27 and the Data Protection Legislation;
(k) on termination or expiry of this Contract, and at any other time on UKRI’s request, either return or destroy (as elected by UKRI) the Personal Data (including all copies of it) and confirm in writing that it has complied with this obligation; and
(dl) providing notify UKRI without undue delay on becoming aware of any Personal Data Breach and promptly following notification, provide such data, information and assistance as is required by UKRI in order for UKRI to notify the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject Personal Data Breach to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (Information Commissioner and/or those of its agents, subsidiaries and Sub-ContractorsData Subject(s) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with otherwise fulfil its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 5 contracts
Samples: Contract for the Supply of Security Architecture and Analysis, Contract for the Supply of Services, Contract for the Supply of Installation of Fibre
Data Protection. 22.1 With respect to [REMEMBER THIS IS THE NON-DATA PROCESSING CONTRACT – IF THE SERVICE INVOLVES DATA PROCESSING THE ALTERNATIVE STANDARD CONTRACT MUST BE USED]
23.1 Both parties will comply with all applicable requirements of the Parties' rights Data Protection Legislation. This clause 23 is in addition to, and does not relieve, remove or replace, a party’s obligations under this Framework Agreementthe Data Protection Legislation.
23.2 The parties acknowledge that for the purposes of the Data Protection Legislation, the Parties agree that the Authority is the Data Controller and Controller. The only processing that the Supplier is authorised to do by the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only Authority is in accordance with written instructions from and may not be determined by the Supplier.
23.3 Without prejudice to the generality of clause 23.1, the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 will ensure that it has all Supplier Staff required necessary appropriate consents and notices in place to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any enable lawful transfer of the Personal Data to the Supplier, if required, for the duration and purposes of this agreement.
23.4 Without prejudice to the generality of clause 23.1, the Supplier shall, in relation to any third party unless directed Personal Data processed in writing to do so connection with the performance by the Supplier of its obligations under this agreement:
(a) process Personal Data only on the written instructions of the Authority;
22.2.8 (b) the Supplier’s personnel do not process Personal Data except in accordance with this Agreement;
(c) if requested, provide the Authority with such information as the Authority may reasonably require to satisfy itself that the Supplier is able to comply with its obligations under the Data Protection Legislation;
(d) notify the Authority within five (5) Working Days immediately if it receives:
(ai) a request from a Data Subject to have access to that person's ’s Personal Data; or;
(bii) a request to rectify, block or erase any Personal Data;
(iii) receives any other request, complaint or request communication relating to either Party’s obligations under the Data Protection Legislation (including any communication from the Information Commissioner);
(e) assist the Authority in responding to any request from a Data Subject and in ensuring compliance with the Authority’s obligations under the Data Protection Legislation;
(f) ensure it does not knowingly or negligently do or omit to do anything which places the Authority in breach of the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(dg) providing notify the Authority immediately and in any event within 24 hours on becoming aware of a Personal Data breach.
23.5 Any written instructions issued in accordance with any information requested by this clause 23 will include detailed requirements in relation to Data Processing.
23.6 The provisions of this clause shall apply during the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description continuance of the technical agreement and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause indefinitely after its expiry or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedtermination.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 5 contracts
Samples: Contract for the Provision of Services, Contract for the Provision of Services, Contract for the Provision of Services
Data Protection. 22.1 With respect to 16.1. The Supplier acknowledges that Personal Data described in the Parties' rights and obligations under this Framework Agreementscope of Schedule 9 (Data Protection) may be Processed in performance of the Contract. For the purposes of any such Processing, the Parties agree that the Authority is Supplier acts as the Data Controller Processor and the Purchaser acts as the Data Controller.
16.2. Both Parties agree to negotiate in good faith any such amendments to this Contract that may be required to ensure that both Parties meet all their obligations under Data Protection Laws. The provisions of this clause 16 are without prejudice to any obligations and duties imposed directly on the Supplier is under Data Protection Laws and the Supplier hereby agrees to comply with those obligations and duties.
16.3. The Supplier will, in conjunction with the Purchaser and in its own right and in respect of the Contract, make all necessary preparations to ensure it will be compliant with Data Protection Laws.
16.4. The Supplier will provide the Purchaser with the contact details of its data protection officer or other designated individual with responsibility for data protection and privacy to act as the point of contact for the purpose of observing its obligations under the Data ProcessorProtection Laws.
22.2 16.5. The Supplier shallmust:
22.2.1 Process the 16.5.1. process Personal Data only as necessary in accordance with obligations under the Contract and any written instructions from given by the Authority Purchaser (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement nature), including with regard to transfers of Personal Data outside the United Kingdom unless required to do so by law or as otherwise notified by the Authority Regulatory Body to which the Supplier during is subject; in which case the Term);
22.2.2 Process Supplier must, unless prohibited by that law, inform the Purchaser of that legal requirement before processing the Personal Data only to the extent, and in such manner, manner as it is necessary for the provision performance of the Services Supplier’s obligations under this Contract or as is required by Law or any Regulatory Bodythe Law;
22.2.3 16.5.2. subject to clause 16.5.1 only process or otherwise transfer any Personal Data in or to any country outside the United Kingdom with the Purchaser’s prior written consent;
16.5.3. take all reasonable steps to ensure the reliability and integrity of any Supplier Representatives who have access to the Personal Data and ensure that the Supplier Representatives:
(a) are aware of and comply with the Supplier’s duties under this Clause;
(b) are subject to appropriate confidentiality undertakings with the Supplier or the relevant Sub-contractor;
(c) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Purchaser or as otherwise permitted by this Contract; and
(d) have undergone adequate training in the use, care, protection and handling of Personal Data.
16.5.4. implement appropriate technical and organisational measures including those set in accordance with Article 32 of the GDPR to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These , such measures shall be being appropriate to the harm which might result from any unauthorised or unlawful Processing, Processing accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected.;
22.2.4 take all reasonable steps 16.6. The Supplier shall not engage a sub-contractor to ensure carry out Processing in performance of the reliability Contract without prior specific or general written authorisation from the Purchaser. In the case of general written authorisation, the Supplier must inform the Purchaser of any Supplier’s Staff who have access intended changes concerning the addition or replacement of any other sub-contractor and give the Purchaser an opportunity to object to such changes.
16.7. If the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any SubSupplier engages a sub-Contractors or Affiliates contractor for the provision carrying out Processing activities on behalf of the Services;
22.2.6 Purchaser, the Supplier must ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the same data protection obligations as set out in this Clause 22 (Data Protection);
22.2.7 ensure that none Contract are imposed on the sub-contractor by way of Supplier’s Staff publisha written and legally binding contract, disclose or divulge any in particular providing sufficient guarantees to implement appropriate technical and organisational measures. The Supplier shall remain fully liable to the Purchaser for the performance of the Personal Data sub-contractor’s performance of the obligations.
16.8. The Supplier must provide to any third party unless directed the Purchaser reasonable assistance including by such technical and organisational measures as may be appropriate in writing to do so by complying with Articles 12-23 of the Authority;GDPR.
22.2.8 16.9. The Supplier must notify the Authority within five (5) Working Days Purchaser if it receivesit:
(a) a request from receives a Data Subject to have access to that person's Personal Data; orAccess Request (or purported Data Subject Access Request);
(b) receives a request to rectify, block or erase any Personal Data;
(c) receives any other request, complaint or request communication relating to the Authorityeither Party's obligations under the Data Protection LegislationLaws;
22.2.9 provide (d) receives any communication from the Supervisory Authority or any other regulatory authority in connection with full cooperation Personal Data processed under this Contract; or
(e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by law or regulatory order; and assistance such notification must take place as soon as is possible but in relation any event within 3 business days of receipt of the request or any other period as agreed in writing with the Purchaser from time to any complaint or request madetime.
16.10. Taking into account the nature of the Processing and the information available, including bythe Supplier must assist the Purchaser in complying with the Purchaser’s obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments and prior consultations in accordance with Articles 32 to 36 of the GDPR. These obligations include:
(a) providing ensuring an appropriate level of protection through technical and organisational measures that take into account the Authority with full details circumstances and purposes of the complaint or request;processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable an immediate detection of relevant infringement events.
(b) complying with notifying a data access request within Personal Data breach to the relevant timescales set out in the Data Protection Legislation Purchaser without undue delay and in accordance with the Authority's instructionsany event no later than 24 hours after becoming aware of a Personal Data breach;
(c) providing assisting the Authority Purchaser with any Personal Data it holds in relation communication of a personal data breach to a Data Subject (within the timescales required by the Authority; andSubject;
(d) providing supporting the Authority Purchaser with any information requested by the Authoritypreparation of a data protection impact assessment;
22.2.10 The (e) supporting the Purchaser with regard to prior consultation of the Supervisory Authority.
00.00. Xx the termination or expiry of the Contract the Supplier shall:
(a) permit must, on written instruction of the Authority Purchaser, delete or the Authority’s Representative (subject return to the reasonable Purchaser all Personal Data and appropriate confidentiality undertakings), delete existing copies unless law to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that which the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description subject requires storage of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedData.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 4 contracts
Samples: Framework Agreement, Framework Agreement, Framework Agreement
Data Protection. 22.1 17.1. With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 Processor in relation to Authority Personal Data. The Supplier shall:shall (and shall procure that Staff) comply with any notification requirements under the Data Protection Legislation
22.2.1 Process 17.2. Notwithstanding the general obligation in Clause 17.1, where the Supplier is Processing any Authority Personal Data only in accordance with instructions from for the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and shall ensure that it has in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement place appropriate technical and organisational measures to protect ensure the security of the Authority Personal Data (and to guard against unauthorised or unlawful Processing of the Authority Personal Data and against accidental lossloss or destruction of, destructionor damage to, damagethe Authority Personal Data), alteration or disclosure. These measures shall be appropriate as required under the ‘Seventh Data Protection Principle’ in schedule 1 to the harm which might result from Data Protection Xxx 0000 and shall:
17.2.1. provide the Authority with such information as the Authority may reasonably request to satisfy itself that the Supplier is complying with its obligations under the Data Protection Legislation;
17.2.2. promptly notify the Authority of any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature breach of the Personal Data which is security measures to be protectedput in place pursuant to this Clause 17.2;
22.2.4 17.2.3. ensure that it does not knowingly or negligently do or omit to do anything which places the Authority in breach of its obligations under the Data Protection Legislation;
17.2.4. take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Authority Personal Data;
22.2.5 17.2.5. obtain prior Approval from the Authority in order to transfer the Authority Personal Data to any Sub-Contractors or Affiliates Affiliated Company for the provision of the Services;
22.2.6 17.2.6. ensure that all Supplier Staff required to access the Authority Personal Data are informed of the confidential nature of the Authority Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)17;
22.2.7 17.2.7. ensure that none of Supplier’s the Staff publish, disclose or divulge any of the Authority Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 17.2.8. notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Authority Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;; and
22.2.9 17.2.9. provide the Authority with full cooperation and assistance in relation to any complaint or request mademade relating to the Authority Personal Data, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Authority Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;.
22.2.10 17.3. The Supplier shall:
(a) permit the Authority shall not Process or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing otherwise transfer any Personal Data (within the timescales required by the Authority); and
(c) not cause in or permit to be Processed and/or otherwise transferred any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data supplied in or to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer anywhere outside the European Economic Area, the following provisions shall apply:
(a) the Supplier shall propose a variation to comply withthe Authority which, if it is agreed by the Authority, shall be dealt with in accordance with Clause Error! Reference source not found. (Variation rocedure) and Clauses 1.1.1(b) to 1.1.1(d);
(b) the Supplier shall set out in its proposal to the Authority for a Variation, details of the following:
(i) the obligations of a Personal Data Controller under which will be transferred to and/or Processed in or to any Restricted Countries;
(ii) the Eighth Restricted Countries to which the Personal Data Protection Principle set out will be transferred and/or Processed; and
(iii) any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Schedule 1 of Restricted Countries;
(iv) how the Data Protection Act 1998 by providing Supplier will ensure an adequate level of protection to any and adequate safeguards in respect of the Personal Data that is transferredwill be Processed in and/or transferred to Restricted Countries so as to ensure the Authority’s compliance with the DPA;
(c) in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Authority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and
(d) the Supplier shall comply with such other instructions and shall carry out such other actions as the Authority may notify in writing, including:
(i) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and
(ii) procuring that any reasonable instructions notified to it Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into:
(A) a direct data processing agreement with the Authority on such terms as may be required by the Authority; or
(B) a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Authority or Contracting Body concernedand the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority deems necessary for the purpose of protecting Personal Data.
22.2.11 17.4. The Supplier shall use its reasonable endeavours to assist the Authority to comply at all times with any obligations under the Data Protection Legislation DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable the Authority’s obligations under the Data Protection Legislation.DPA to the extent
Appears in 4 contracts
Samples: Framework Agreement, Framework Agreement, Framework Agreement
Data Protection. 22.1 16.1 With respect to the Partiesparties' rights and obligations under this Framework the Agreement, the Parties parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor, as the terms “Data Controller” and “Data Processor” are respectively defined in the Data Protection Xxx 0000 (“DPA”).
22.2 16.2 The Supplier shall:
22.2.1 Process (a) process the Personal Data (as defined in the DPA) only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework the Agreement or as otherwise notified by the Authority to the Supplier during the Termterm of the Agreement);
22.2.2 Process (b) process the Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Services Goods or as is required by Law law or any Regulatory Bodyregulatory body;
22.2.3 (c) implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 (d) take all reasonable steps to ensure the reliability of any Supplier’s Staff or its other personnel who have access to the Personal Data;
22.2.5 (e) obtain prior Approval written consent from the Authority in order to transfer the Personal Data to any Subsub-Contractors contractors or Affiliates affiliates for the provision of the ServicesGoods;
22.2.6 (f) ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)clause 16;
22.2.7 (g) ensure that none of Supplier’s the Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 (h) notify the Authority within five three (53) Working Days Business Days, if it receives:
(ai) a request from a Data Subject (as defined in the DPA) to have access to that person's Personal Data; or
(bii) a complaint or request relating to the Authority's obligations under the Data Protection LegislationDPA;
22.2.9 (i) provide the Authority with full cooperation co-operation and assistance in relation to any complaint or request made, including by:
(ai) providing the Authority with full details of the complaint or request;
(bii) complying with a data access request within the relevant timescales set out in the Data Protection Legislation DPA and in accordance with the Authority's instructions;
(ciii) providing the Authority with (within the timescales required by the Authority)with any Personal Data it holds in relation to a Data Subject (within the timescales required by the AuthoritySubject; and
(div) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(aj) permit the Authority or the Authority’s Representative 's representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 14 (Audit), the Supplier's data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework the Agreement;
(bk) provide a written description of the technical and organisational methods employed by the Supplier for Processing processing Personal Data (within the timescales required by the Authority); and
(cl) not cause or permit to be Processed and/or otherwise transferred Process Personal Data outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Areaa transfer, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 DPA by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedAuthority.
22.2.11 16.3 The Supplier shall comply at all times with the Data Protection Legislation DPA and shall not perform its obligations under this Framework the Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection LegislationDPA.
Appears in 4 contracts
Samples: Manufacturing Agreement, Agreement for Supply and Delivery of Personal Protective Equipment & Sundry Tool Items, Manufacturing Agreement
Data Protection. 22.1 With respect 14.1 The SERVICE PROVIDER‟s attention is hereby drawn to the Parties' rights Data Protection Requirements. The CLIENT and the SERVICE PROVIDER shall observe their obligations under the Data Protection Requirements.
14.2 Where the SERVICE PROVIDER, pursuant to its obligations under this Framework AgreementContract, undertakes the Parties agree that Processing of Personal Data on behalf of the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier CLIENT, it shall:
22.2.1 Process 14.2.1 carry out the Processing of Personal Data only in accordance with instructions from the Authority CLIENT (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement Contract or as otherwise notified by the Authority CLIENT to the Supplier SERVICE PROVIDER during the Term);
22.2.2 Process 14.2.2 carry out the processing of Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Ordered Services or as is required by Law or any Regulatory Body;
22.2.3 14.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 14.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff SERVICE PROVIDER personnel who have access to the Personal Data;
22.2.5 14.2.5 obtain prior Approval written consent from the Authority CLIENT in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Ordered Services;
22.2.6 14.2.6 ensure that all Supplier Staff any SERVICE PROVIDER personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)14;
22.2.7 14.2.7 ensure that none of Supplier’s Staff the SERVICE PROVIDER personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCLIENT;
22.2.8 14.2.8 notify the Authority CLIENT (within five (5) Working Days Days) if it receives:
(a) 14.2.8.1 a request from a Data Subject to have access to that person's person‟s Personal Data; or
(b) 14.2.8.2 a complaint or request relating to the Authority's CLIENT‟s obligations under the Data Protection LegislationRequirements;
22.2.9 14.2.9 provide the Authority CLIENT with full cooperation and assistance in relation to any complaint or request made, including by:
(a) 14.2.9.1 providing the Authority CLIENT with full details of the complaint or request;
(b) 14.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation Requirements and in accordance with the Authority's CLIENT‟s instructions;
(c) 14.2.9.3 providing the Authority CLIENT with any Personal Data it holds in relation to a Data Subject (within the timescales required by the AuthorityCLIENT); and
(d) 14.2.9.4 providing the Authority CLIENT with any information requested by the AuthorityCLIENT;
22.2.10 The Supplier shall:
(a) 14.2.10 permit the Authority CLIENT or the Authority’s Representative its representatives (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, audit the Supplier's SERVICE PROVIDER‟s data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority CLIENT to enable the Authority CLIENT to verify and/or procure that the Supplier SERVICE PROVIDER is in full compliance with its obligations under this Framework AgreementContract;
(b) 14.2.11 provide a written description of the technical and organisational methods employed by the Supplier SERVICE PROVIDER for Processing Personal Data (within the timescales required by the AuthorityCLIENT); and
(c) 14.2.12 not cause or permit to be Processed and/or otherwise transferred undertake the Processing of Personal Data outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned CLIENT and, where the Authority or Other Contracting Body concerned CLIENT consents to Processing and/or transfer outside the European Economic Areaa transfer, to comply with:
(i) 14.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) 14.2.12.2 any reasonable instructions notified to it by the Authority or Contracting Body concernedCLIENT.
22.2.11 14.3 The Supplier SERVICE PROVIDER shall comply at all times with the Data Protection Legislation Requirements and shall not perform its obligations under this Framework Agreement Contract in such a way as to cause the Authority CLIENT to breach any of its applicable obligations under the Data Protection LegislationRequirements.
14.4 The CLIENT may from time to time serve on the SERVICE PROVIDER an information notice requiring the SERVICE PROVIDER within such time and in such form as is specified in the information notice, to furnish to the CLIENT such information as the CLIENT may reasonably require relating to:
14.4.1 compliance by the SERVICE PROVIDER with the SERVICE PROVIDER‟s obligations under this Contract in connection with the Processing of Personal Data; and/or
14.4.2 the rights of Data Subjects, including but not limited to subject access rights.
14.5 The SERVICE PROVIDER will allow its data Processing facilities, procedures and documentation to be submitted for scrutiny by the CLIENT or its auditors in order to ascertain compliance with the relevant laws of the United Kingdom and the terms of this Contract.
14.6 With respect to the parties‟ rights and obligations under this Contract, the parties acknowledge that, except where otherwise agreed, the CLIENT is the Data Controller and the SERVICE PROVIDER is the Data Processor. Where the SERVICE PROVIDER wishes to appoint, in accordance with the provisions of Clause 28, a Sub-Contractor to assist it in providing the Ordered Services and such assistance includes the Processing of Personal Data on behalf of the CLIENT, then, subject always to compliance by the SERVICE PROVIDER with the provisions of Clause 28 relating to the appointment of Sub-Contractors, the CLIENT hereby grants to the SERVICE PROVIDER a delegated authority to appoint on the CLIENT‟S behalf such Sub-Contractor to undertake the Processing of Personal Data provided that the SERVICE PROVIDER shall notify the CLIENT in writing of such appointment and the identity and location of such Sub-Contractor. The SERVICE PROVIDER warrants that such appointment shall be on substantially the same terms with respect to Data Protection Requirements as are set out in this Contract, including the terms set out in Clause 14.2. Any Sub-Contractor appointed under the provisions of this Clause 14.6 shall, for the purposes of Schedule 2-7, be regarded as a principal Sub-Contractor and shall be specified in Table 1 of Schedule 2-7.
14.7 Save as set out in this Clause 14, any unauthorised Processing, use or disclosure of personal data by the SERVICE PROVIDER is strictly prohibited.
14.8 The SERVICE PROVIDER shall be liable for and shall indemnify (and keep indemnified) the CLIENT against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and disbursements on a solicitor and client basis) and demands incurred by the CLIENT which arise directly or in connection with the SERVICE PROVIDER‟s data Processing activities under this Contract, including without limitation those arising out of any third party demand, claim or action, or any breach of contract, negligence, fraud, wilful misconduct, breach of statutory duty or non-compliance with any part of the Data Protection Requirements by the SERVICE PROVIDER or its employees, servants, agents or Sub-Contractors.
Appears in 4 contracts
Samples: Contract, Contract for Legal Services, Contract for Legal Services
Data Protection. 22.1 With respect 3.2.1 The Parties’ attention is drawn to the Parties' rights Data Protection Xxx 0000, Directive 95/46/EC of the European Parliament and any legislation and/or regulations implementing them or made in pursuance of them (the “Data Protection Requirements”). The End-User acknowledges that Royal Mail is the data controller in respect of any personal data in the Data. Royal Mail and the Solutions Provider acknowledge that the End-User is the data controller in respect of any personal data in its own database whether it has been cleansed, modified or otherwise. The End-User agrees it will not do or omit to do any act which would place it, the Solutions Provider or Royal Mail in breach of the Data Protection Requirements and each Party warrants to the other that it will duly observe all its obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and Protection Requirements which arise in connection with the performance of this Licence Agreement. The End-User agrees that the Supplier is the Data Processor.
22.2 The Supplier it shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 3.2.1.1 implement appropriate technical and organisational measures to protect personal data within the Personal Data against unauthorised accidental or unlawful Processing and against destruction or accidental loss, destructionalteration, damage, alteration unauthorised disclosure or disclosure. These measures shall be appropriate access;
3.2.1.2 promptly refer to Royal Mail (either directly or indirectly via the Solutions Provider any queries relating to the harm which might result personal data within the Data from data subjects, the Information Commissioner or any unauthorised or unlawful Processingother law enforcement authority, accidental lossfor Royal Mail to resolve;
3.2.1.3 promptly upon request from Royal Mail provide such information to Royal Mail as Royal Mail may reasonably require to allow it to comply, destruction or damage in relation to the Personal Data and having regard personal data within the Data, with the rights of data subjects, including subject access rights, or with information notices served by the Information Commissioner; and
3.2.1.4 ensure that if, during the term of this Licence Agreement, it intends to make any transfers of personal data within the nature of the Personal Data which is are not European Commission Approved Transfers, then it shall, prior to be protected;
22.2.4 take all reasonable steps any such transfer, obtain Royal Mail’s consent and at the End-User’s own cost provide such further information and sign such further documents, agreements or deeds as Royal Mail may require to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision adequate protection of the Services;
22.2.6 ensure that all Supplier Staff required personal data. For the purposes of this clause 3.2 “data controller”, “data subject”, “personal data” and “processing” shall have the meanings ascribed to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out them in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedXxx 0000.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 3 contracts
Samples: Data Licence Agreement, Data Licence Agreement, Data Licence Agreement
Data Protection. 22.1 With respect The SERVICE PROVIDER’s attention is hereby drawn to the Parties' rights Data Protection Requirements. The CLIENT and the SERVICE PROVIDER shall observe their obligations under the Data Protection Requirements. Where the SERVICE PROVIDER, pursuant to its obligations under this Framework AgreementContract, undertakes the Parties agree that Processing of Personal Data on behalf of the Authority is CLIENT, it shall: carry out the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Processing of Personal Data only in accordance with instructions from the Authority CLIENT (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement Contract or as otherwise notified by the Authority CLIENT to the Supplier SERVICE PROVIDER during the Term);
22.2.2 Process ; carry out the processing of Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Ordered Services or as is required by Law or any Regulatory Body;
22.2.3 ; implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 ; take all reasonable steps to ensure the reliability of any Supplier’s Staff SERVICE PROVIDER personnel who have access to the Personal Data;
22.2.5 ; obtain prior Approval written consent from the Authority CLIENT in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Ordered Services;
22.2.6 ; ensure that all Supplier Staff any SERVICE PROVIDER personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 14; ensure that none of Supplier’s Staff the SERVICE PROVIDER personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 CLIENT; notify the Authority CLIENT (within five (5) Working Days Days) if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 3 contracts
Samples: Legal Services Framework Agreement, Legal Services Framework Agreement, Legal Services Framework Agreement
Data Protection. 22.1 With respect 3.2.1 The Parties’ attention is drawn to the Parties' rights Data Protection Act 1998, Directive 95/46/EC of the European Parliament and any legislation and/or regulations implementing them or made in pursuance of them (the “Data Protection Requirements”). The End-User acknowledges that Royal Mail is the data controller in respect of any personal data in the Data. Royal Mail and the Solutions Provider acknowledge that the End-User is the data controller in respect of any personal data in its own database whether it has been cleansed, modified or otherwise. The End-User agrees it will not do or omit to do any act which would place it, the Solutions Provider or Royal Mail in breach of the Data Protection Requirements and each Party warrants to the other that it will duly observe all its obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and Protection Requirements which arise in connection with the performance of this Licence Agreement. The End-User agrees that the Supplier is the Data Processor.
22.2 The Supplier it shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 3.2.1.1 implement appropriate technical and organisational measures to protect personal data within the Personal Data against unauthorised accidental or unlawful Processing and against destruction or accidental loss, destructionalteration, damage, alteration unauthorised disclosure or disclosure. These measures shall be appropriate access;
3.2.1.2 promptly refer to Royal Mail (either directly or indirectly via the Solutions Provider any queries relating to the harm which might result personal data within the Data from data subjects, the Information Commissioner or any unauthorised or unlawful Processingother law enforcement authority, accidental lossfor Royal Mail to resolve;
3.2.1.3 promptly upon request from Royal Mail provide such information to Royal Mail as Royal Mail may reasonably require to allow it to comply, destruction or damage in relation to the Personal Data and having regard personal data within the Data, with the rights of data subjects, including subject access rights, or with information notices served by the Information Commissioner; and
3.2.1.4 ensure that if, during the term of this Licence Agreement, it intends to make any transfers of personal data within the nature of the Personal Data which is are not European Commission Approved Transfers, then it shall, prior to be protected;
22.2.4 take all reasonable steps any such transfer, obtain Royal Mail’s consent and at the End-User’s own cost provide such further information and sign such further documents, agreements or deeds as Royal Mail may require to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision adequate protection of the Services;
22.2.6 ensure that all Supplier Staff required personal data. For the purposes of this clause 3.2 “data controller”, “data subject”, “personal data” and “processing” shall have the meanings ascribed to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out them in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned1998.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 3 contracts
Samples: Deal Sheet, Data License Agreement, Data Licence Agreement
Data Protection. 22.1 With respect to the Parties' rights 35.1 The Contractor shall (and obligations under this Framework Agreement, the Parties agree shall procure that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only all of its staff involved in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or Agreement) comply with any notification requirements under the Data Protection Act 1998 (“DPA”) and any other applicable data protection legislation.
35.2 Notwithstanding the general obligation in Clause 35.1, where the Contractor is processing personal data (as is required defined by Law or any Regulatory Body;
22.2.3 implement the DPA) as a data processor for the Authority (as defined by the DPA) the Contractor shall ensure that it has in place appropriate technical and organisational contractual measures to protect ensure the Personal Data security of the personal data (and to guard against unauthorised or unlawful Processing processing of the personal data and against accidental lossloss or destruction of, destructionor damage to, damagethe personal data), alteration or disclosure. These measures shall be appropriate as required under the Seventh Data Protection Principle in Schedule 1 to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage DPA; and
35.2.1 to maintain technical and organisational security measures sufficient to comply at least with the obligations imposed on the Authority by the Seventh Principle;
35.2.2 only to process Personal Data for and having regard to the nature on behalf of the Personal Data which is Authority, in accordance with the instructions of the Authority and for the purpose of performing the Services in accordance with the Contract and to be protectedensure compliance with the DPA;
22.2.4 take all reasonable steps 35.2.3 to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from allow the Authority in order to transfer audit the Personal Data Contractor's compliance with the requirements of this Clause 35 on reasonable notice and/or to any Sub-Contractors or Affiliates for provide the provision Authority with evidence of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply its compliance with the obligations set out in this Clause 22 (Data Protection)35;
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 35.2.4 promptly notify the Authority within five (5) Working Days if of any breach of the security measures required to be put in place; and
35.2.5 ensure that it receives:
(a) a request from a Data Subject does not knowingly or negligently do or omit to have access to that person's Personal Data; or
(b) a complaint or request relating to do anything which places the Authority's Authority in breach of the Authority‟s obligations under the Data Protection Legislation;DPA.
22.2.9 provide 35.3 Subject to Clause 19, the Contractor agrees to indemnify and keep indemnified the Authority with full cooperation against all claims and assistance proceedings and all liability, loss, costs and expenses incurred in relation connection therewith by the Authority as a result of any claim made or brought by any individual or other legal person in respect of any loss, damage or distress caused to that individual or other legal person as a result of the Contractor's unauthorised processing, unlawful processing, destruction of and/or damage to any complaint Personal Data processed by the Contractor, its employees or request madeagents in the Contractor's performance of the Contract or as otherwise agreed between the Parties.
35.4 Both Parties agree to use reasonable efforts to assist each other to comply with the DPA. For the avoidance of doubt, including by:
(a) this includes the Contractor providing the Authority with full details assistance in complying with subject access requests served on the Authority under Section 7 of the complaint or request;
(b) complying with a data access request within DPA and the relevant timescales set out in the Data Protection Legislation and in accordance Contractor consulting with the Authority's instructions;
(c) providing Authority prior to the Authority with disclosure by the Contractor of any Personal Data it holds in relation to a Data Subject (within such requests.
35.5 The provisions of this Clause 35 shall apply during the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description continuance of the technical Contract and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause indefinitely after its expiry or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedtermination.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 3 contracts
Samples: Contract for the Provision of Educational Inputs to the NHS Graduate Management Training Scheme, Contract for the Provision of Educational Inputs to the NHS Graduate Management Training Scheme, Contract for the Provision of Educational Inputs to the NHS Graduate Management Training Scheme
Data Protection. 22.1 21.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree parties acknowledge that the Authority is Authorities will be acting as both Data Controllers and Data Processors according to circumstance during the Data Controller and that term of the Supplier is the Data ProcessorAgreement.
22.2 21.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 Authorities will take all reasonable steps to ensure the reliability and integrity of any Supplier’s Staff employees who have access to Personal Data and ensure that employees:
(i) are aware of and comply both the Personal DataAuthority’s Data Controller duties and with the Authority’s Data Processor duties under this Agreement;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data (ii) are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityData Controller Authority or as otherwise permitted by this Agreement; and
(iii) have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA);
22.2.8 21.3 When an Authority is acting as Data Processor it shall:
(i) process the Personal Data only in accordance with instructions from the Authority who is the Data Controller,
(ii) ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data,
(iii) not disclose or transfer the Personal Data to any third party or Supplier unless necessary for the provision of the Services and,
(iv) notify the Authority Data Controller within five (5) 3 Working Days if it receives:
(a) a request receives from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request);
(v) a request to have access to that person's rectify, block or erase any Personal Data; or
(b) a or any other request, complaint or request communication relating to the Authority's obligations under the Data Protection LegislationDPA;
22.2.9 (vi) any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or
(vii) a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law;
(viii) provide the Authority Data Controller with full cooperation and assistance (within the timescales reasonably required by that Authority) in relation to any complaint complaint, communication or request made, made including by:
(a) by promptly providing the that Authority with full details and copies of the complaint complaint, communication or request;
(b) complying request and where applicable, such assistance as is reasonably requested by the Authority to enable the Authority to comply with a data access request the Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;DPA.
(c) providing the Authority with 21.4 The Authorities agree that they shall not Process or otherwise transfer any Personal Data it holds in relation or to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred country outside the European Economic Area or any Personal Data supplied to it country not deemed adequate by the Authority or any Other Contracting Body without the prior written consent European Commission pursuant to Article 25(6) of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents Directive 95/46/EC.
21.5 The Authorities shall use their reasonable endeavours to Processing and/or transfer outside the European Economic Area, assist each other to comply with:
(i) the with any obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation DPA and shall not perform its their obligations under this Framework Agreement in such a way as to cause the other Authority to breach any of its applicable obligations under the Data Protection LegislationDPA to the extent the Authority is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 3 contracts
Samples: Collaboration Agreement, Collaboration Agreement, MKS Model Shared Service Collaboration Agreement
Data Protection. 22.1 With respect 18.1 The Executive shall at all times during the Appointment adhere to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified any policy introduced by the Authority Company from time to the Supplier during the Term);
22.2.2 Process the Personal Data only time to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out DPA or equivalent legislation in any other relevant jurisdiction. Breach of this Clause 22 undertaking will constitute a disciplinary offence.
18.2 The Executive hereby consents to the Company holding and processing both electronically and manually the personal data it collects which relates to the Executive which is necessary or reasonably required for the proper performance of this agreement, for management, administrative and other employment related purposes (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose both during and after the Appointment) or divulge any for the conduct of the Personal Data Group’s business or to comply with applicable law, rules and regulations (the “Authorised Purposes”) and the Executive agrees to provide the Group with all personal data relating to her which is necessary or reasonably required for the Authorised Purposes.
18.3 The Executive explicitly consents to the Company or any other Group Company processing her personal data, including her sensitive personal data, where this is necessary or reasonably required to achieve one or more of the Authorised Purposes.
18.4 The Executive acknowledges that the Company may, from time to time collect or disclose her personal data (including her sensitive personal data) from and to third party unless directed in writing to do so parties (including without limitation the Executive’s referees, any management consultants or computer maintenance companies engaged by the Authority;
22.2.8 notify Company, the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint Company’s professional advisers, other Group Companies, any suppliers of goods or request relating services to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation Group and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details potential purchasers of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required business carried on by the Authority; and
(d) providing Company and/or the Authority Group). The Executive consents to such collection and disclosure even where this involves the transfer of such data, with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings)safeguards, to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area where this is necessary or reasonably required to achieve one or more of the Authorised Purposes or is in the interests of the Company and/or its shareholders.
18.5 The Company agrees to process any Personal Data supplied personal data made available to it by the Authority or any Other Contracting Body without Executive in accordance with the prior written consent provisions of the Authority or Contracting Body concerned and, where DPA.
18.6 this clause “data controller” “personal data” “processing” and “sensitive personal data” shall have the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle meaning set out in Schedule section 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedDPA.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 3 contracts
Samples: Service Agreement (Eros International PLC), Service Agreement (Eros International PLC), Service Agreement (Eros International PLC)
Data Protection. 22.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of Except as would not have a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receivesBusiness Material Adverse Effect:
(a) a request from a Each Transferred Entity has in relation to its Business complied with the Data Subject to have access to that person's Personal Data; orProtection Laws.
(b) Each Transferred Entity has implemented appropriate technical and organizational measures to ensure a complaint or request relating level of security of Personal Data appropriate to the Authority's obligations under risk, taking into account the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details state of the complaint or request;
(b) complying with a data access request within art, the relevant timescales set out in costs of implementation and the Data Protection Legislation nature, scope, context and in accordance with purposes of processing as well as the Authority's instructions;risk of varying likelihood and severity for the rights and freedoms of natural persons.
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales If required by Data Protection Laws, the Authority; andTransferred Entities have appointed a data protection officer (“DPO”), and complied with the requirements of Data Protection Laws pertaining to the appointment, the position and the tasks of the DPO.
(d) providing Each Transferred Entity has undertaken appropriate due diligence processes prior to the Authority with any information requested by appointment of processors, to ensure that such processors provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that their processing meet the Authority;
22.2.10 The Supplier shall:requirements of Data Protection Laws.
(ae) permit Each Transferred Entity has put in place valid and enforceable written agreements with processors that meet the Authority requirements of Article 28 of GDPR and all other requirements of Data Protection Laws.
(f) Each Transferred Entity as a controller, processes and has processed Personal Data in a lawful, fair and transparent manner, having always a legal basis for processing such Personal Data, and assuring the data protection principles of purpose limitation, data minimization, accuracy, storage limitation, and integrity and confidentiality, as well as data protection by design and by default.
(g) None of the Transferred Entities have received any written notice (including any enforcement notice, de-registration notice or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakingstransfer prohibition notice), to inspect and auditletter, or complaint, or been the Supplier's subject of any written enquiry from a data Processing activities (and/or those of its agentsprotection authority, subsidiaries and Subor any data subject, alleging non-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;the Data Protection Laws.
(bh) provide a written description To the Knowledge of the technical and organisational methods employed by the Supplier for Processing Parent, no Person has gained unauthorized access to or made any unauthorized use of any Personal Data processed by any of the Transferred Entities in the past three (within the timescales required by the Authority); and3) years.
(ci) not cause or permit To the extent that Personal Data has been transferred and/or access to be Processed and/or otherwise transferred Personal Data has been given to recipients outside the European Economic Area any Personal (“International Data supplied Transfers”) and to it by the Authority or any Other Contracting Body without extent that the prior written consent GDPR applies, each Transferred Entity has ensured that such International Data Transfers meet the requirements of Chapter V of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or GDPR including by implementing appropriate agreements and data transfer outside the European Economic Area, to comply with:mechanisms.
(ij) the obligations Each Transferred Entity has provided information to data subjects in particular to employees and users of a Data Controller under the Eighth its website where and as required by Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedLaws.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 2 contracts
Samples: Stock Purchase Agreement (CARRIER GLOBAL Corp), Stock Purchase Agreement (APi Group Corp)
Data Protection. 22.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures B36.1 Each Party shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations their respective duties under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and any successor legislation and shall give all reasonable assistance to each other where appropriate or necessary to comply with such duties.
B36.1 The Parties agree that in accordance with the Authority's instructions;relation to:
(c) providing the Authority with any B36.1.1 Personal Data it holds processed by the Provider in relation to a providing Services under this Agreement (for example, patient details, medical history and treatment details), the Provider shall be the sole Data Subject (within Controller; and
B36.1.2 Personal Data, the timescales processing of which is required by the Authority; and
(d) providing Authority for the purposes of quality assurance, performance management and contract management the Authority with any and the Provider will be independent Data Controllers; together the “Agreed Purpose”.
B36.2 Where the Authority requires information requested under clause 9.1.2 above, the Provider shall consider whether the requirement can be met by providing anonymised or aggregated data which does not contain Personal Data. Where Personal Data must be shared in order to meet the requirements of the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Provider shall provide such information in pseudonymised form where possible.
B36.3 Schedule 1 sets out the categories of Data Subjects, types of Personal Data, Processing activities operations (and/or those including scope, nature and purpose of its agents, subsidiaries and Sub-ContractorsProcessing) and the duration of Processing.
B36.4 Each Party shall comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of imposed on a Data Controller under the Eighth Data Protection Principle set out Laws in Schedule 1 relation to all Personal Data that is processed by it in the course of performing its obligations under this Agreement.
B36.5 Any material breach of the Data Protection Act 1998 Laws by providing an adequate level one Party shall, if not remedied within fourteen (14) days of protection written notice from the other Party, gives grounds to the other Party to terminate this Agreement with immediate effect.
B36.6 In relation to the Processing of any Personal Data, each Party shall:
B36.6.1 ensure that it has all necessary notices and consents in place to enable lawful sharing of Personal Data to the Permitted Recipients for the Agreed Purpose;
B36.6.2 give full information to any Data Subject whose Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations may be processed under this Framework Agreement in of the nature of such a way as Processing;
B36.6.3 process the Personal Data only for the Agreed Purpose;
B36.6.4 not disclose or allow access to cause the Authority Personal Data to breach any of its applicable obligations under anyone other than the Data Protection Legislation.Permitted Recipients;
Appears in 2 contracts
Samples: Contract for the Provision of Public Health Services, Contract for the Provision of Public Health Services
Data Protection. 22.1 With respect 18.1 The Executive shall at all times during the Appointment adhere to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified any policy introduced by the Authority Company from time to the Supplier during the Term);
22.2.2 Process the Personal Data only time to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out DPA or equivalent legislation in any other relevant jurisdiction. Breach of this Clause 22 undertaking will constitute a disciplinary offence.
18.2 The Executive hereby consents to the Company holding and processing both electronically and manually the personal data it collects which relates to the Executive which is necessary or reasonably required for the proper performance of this agreement, for management, administrative and other employment related purposes (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose both during and after the Appointment) or divulge any for the conduct of the Personal Data Group’s business or to comply with applicable law, rules and regulations (the “Authorised Purposes”) and the Executive agrees to provide the Group with all personal data relating to his which is necessary or reasonably required for the Authorised Purposes.
18.3 The Executive explicitly consents to the Company or any other Group Company processing his personal data, including his sensitive personal data, where this is necessary or reasonably required to achieve one or more of the Authorised Purposes.
18.4 The Executive acknowledges that the Company may, from time to time collect or disclose his personal data (including his sensitive personal data) from and to third party unless directed in writing to do so parties (including without limitation the Executive’s referees, any management consultants or computer maintenance companies engaged by the Authority;
22.2.8 notify Company, the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint Company’s professional advisers, other Group Companies, any suppliers of goods or request relating services to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation Group and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details potential purchasers of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required business carried on by the Authority; and
(d) providing Company and/or the Authority Group). The Executive consents to such collection and disclosure even where this involves the transfer of such data, with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings)safeguards, to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area where this is necessary or reasonably required to achieve one or more of the Authorised Purposes or is in the interests of the Company and/or its shareholders.
18.5 The Company agrees to process any Personal Data supplied personal data made available to it by the Authority or any Other Contracting Body without Executive in accordance with the prior written consent provisions of the Authority or Contracting Body concerned and, where DPA.
18.6 In this clause “data controller” “personal data” “processing” and “sensitive personal data” shall have the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle meaning set out in Schedule section 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedDPA.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 2 contracts
Samples: Service Agreement (Eros International PLC), Service Agreement (Eros International PLC)
Data Protection. 22.1 With respect to 28.1 The Contractor shall be registered under the Parties' rights DPA and both parties will duly observe all of their obligations under this Framework the DPA, which arise in connection with the Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 28.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions Contractor shall not disclose or allow access to data arising from the Authority (which may be specific instructions or instructions of a general nature as set out Contractor’s participation in this Framework Agreement or as otherwise notified by the Authority Contract to any person not requiring the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and data in such manner, as it necessary for the provision of the Services Services.
28.3 Any disclosure of or access to Personal Data which is comprised in the Authority’s Data, provided by the Authority, shall be made in confidence and shall extend only so far as that which is required specifically necessary for the purpose of the performance of any Contract awarded under the Agreement.
28.4 The parties shall at all times comply with the DPA and all subordinate and related legislation as enacted from time to time. The Authority shall be a Data Controller of the Personal Data, which is comprised in the Authority’s Data, provided by Law or any Regulatory Body;the Authority, collected and held by the Contractor in performing the Services, and such Personal Data, provided by the Authority, shall form part of the Authority’s Data.
22.2.3 implement 28.5 Notwithstanding the general obligation in clause 28.1, where the Contractor is processing Personal Data which is comprised in the Authority’s Data, provided by the Authority, as a processor for the Authority (as defined by the DPA), and the Contractor shall ensure that it has in place appropriate technical and organisational measures to protect ensure the security of the Personal Data comprised in the Authority’s Data (and to guard against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature processing of the Personal Data which comprised in the Authority’s Data and against accidental loss or destruction of, or damage to, Personal Data comprised in the Authority’s Data), as required under the seventh Data Protection Principle in Schedule 1 to the DPA; and
28.5.1 provide the Authority with such information as the Authority may reasonably require to satisfy itself that the Contractor is complying with its obligations;
28.5.2 promptly notify the Authority of any breach of the security measures required to be protected;put in place pursuant to clause 28.5 which affects the Personal Data comprised in the Authority’s Data which has been provided by the Authority to the Contractor; and
22.2.4 take 28.5.3 ensure that it does not knowingly or negligently place the Authority in breach of the Authority’s obligations under DPA in respect of the Personal Data comprised in the Authority’s Data which has been provided by the Authority to the Contractor.
28.6 The Contractor shall at all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to times:
28.6.1 only use the Personal Data;
22.2.5 obtain prior Approval from , comprised in the Authority Authority’s Data provided by the Authority, which it holds in order to transfer the Personal Data to any Sub-Contractors or Affiliates for connection with the provision of the Servicesservices in accordance with the written instructions of the Authority and in accordance with the terms and conditions of this Agreement and any subsequent Contract and shall not use it for any other purpose;
22.2.6 ensure that all Supplier Staff required to access the 28.6.2 not disclose Personal Data are informed of comprised in the confidential nature of Authority’s Data, provided by the Personal Data Authority, to any third parties other than (i) to the extent required by a court order, or (ii) employees and comply with sub- contractors to whom such disclosure is reasonably necessary in order for the obligations set Contractor to carry out the services provided that such disclosure is made subject to written terms substantially the same as the terms contained in this Clause 22 (Data Protection);
22.2.7 ensure and provided that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed such disclosure has been approved in writing to do so advance by the Authority;
22.2.8 notify the Authority within five (5) Working Days if 28.6.3 procure that it receives:
(a) a request from a shall only undertake processing of Personal Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to comprised in the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made’s Data, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required provided by the Authority; and
(d) providing the Authority , reasonably required and/or necessary in connection with this Agreement and any information requested subsequent Contract and shall not transfer any Personal Data, provided by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests any country or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer territory outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it 28.6.4 promptly provide the Authority with all necessary Personal Data comprised in the Authority’s Data, provided by the Authority, which is in the possession of or under the control of the Contractor including in a situation where the Authority or Contracting Body concernedis served with a subject access request under the DPA and the Authority informs the Contractor in writing that this is the case.
22.2.11 The Supplier 28.7 In addition to the obligation at Clause 28.6 if the Contractor should at any time receive a request for information (a subject access request) from any person for whom it holds Personal Data comprised in the Authority’s Data, provided by the Authority, as a result of the provision of the Service, it shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause immediately inform the Authority of such request and the Parties shall take all actions necessary in order to breach ensure that the requirements of the DPA with regard to such request are fulfilled including complying with applicable time limits.
28.8 The Contractor shall ensure that any of its applicable obligations sub-contractor complies with this Condition 28.
28.9 This section has been redacted as it is exempt under the Data Protection Legislation.Freedom of Information Act Section 43
Appears in 2 contracts
Samples: Framework Agreement, Framework Agreement
Data Protection. 22.1 With respect 9.1 The Parties agree that in relation to:
9.1.1 Personal Data processed by the Pharmacy Contractor by providing Services under this Agreement, the Pharmacy Contractor shall be the sole Data Controller; and
9.1.2 Personal Data, the processing of which is required by the Commissioner for the purposes of quality assurance, performance management and contract management the Commissioner and the Pharmacy Contractor will be Data Controllers in common together (the “Agreed Purpose”),
9.2 Schedule 1 sets out the categories of Data Subjects, types of Personal Data, Processing operations (including scope, nature and purpose of Processing) and the duration of Processing.
9.3 Each Party shall comply with all the obligations imposed on a Data Controller under the Data Protection Laws in relation to all Personal Data that is processed by it in the Parties' rights and course of performing its obligations under this Framework Agreement, the Parties agree that the Authority is .
9.4 Any material breach of the Data Controller and that Protection Laws by one Party shall, if not remedied within fourteen (14) days of written notice from the Supplier is other Party, give grounds to the Data Processorother Party to terminate this agreement with immediate effect.
22.2 The Supplier 9.5 In relation to the processing of any Personal Data, each Party shall:
22.2.1 Process 9.5.1 ensure that it has all necessary notices and consents in place to enable lawful sharing of Personal Data to the Permitted Recipients for the Agreed Purpose;
9.5.2 give full information to any Data Subject whose Personal Data may be processed under this agreement of the nature of such processing;
9.5.3 process the Personal Data only in accordance with instructions from for the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term)Agreed Purpose;
22.2.2 Process 9.5.4 not disclose or allow access to the Personal Data only to anyone other than the Permitted Recipients;
9.5.5 ensure that all Permitted Recipients are reliable and have had sufficient/adequate training pertinent to the extent, care and in such manner, as it necessary for the provision handling of the Services or as is required by Law or any Regulatory Bodyresident Personal Data;
22.2.3 implement 9.5.6 ensure that all Permitted Recipients are subject to written contractual obligations concerning the Personal Data (including obligations of confidentiality) which are no less onerous than those imposed by this agreement;
9.5.7 ensure that it has in place appropriate technical and organisational measures measures, to protect the Personal Data against unauthorised or unlawful Processing processing of Personal Data and against accidental lossloss or destruction of, destructionor damage to, damage, alteration Personal Data in accordance with Article 32 GDPR;
9.5.8 not transfer any personal data outside the European Economic Area unless the transferor ensures that (i) the transfer is to a country approved by the European Commission as providing adequate protection pursuant to Article 45 GDPR; (ii) there are appropriate safeguards in place pursuant to Article 46 GDPR; or disclosure. These measures shall be appropriate (iii) one of the derogations for specific situations in Article 49 GDPR applies to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to transfer
9.5.9 assist the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority other Party (at its own cost) in order to transfer the Personal Data responding to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's and in ensuring its compliance with all applicable requirements and obligations under the Data Protection Legislation;Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators.
22.2.9 provide 9.6 Each Party shall notify the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details other Party without undue delay on becoming aware of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations Breach under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 2 contracts
Samples: Agreement for the Supply of Disposal of Clinical Sharps Service, Agreement for the Supply of Disposal of Clinical Sharps Service
Data Protection. 22.1 With respect 30.1 For the purposes of this Clause 30, the terms "Data Controller", "Data Processor", “Data Subject” "Personal Data", "Process" and "Processing" shall have the meaning prescribed under the DPA
30.2 The Provider shall (and shall procure that all of its Staff and Sub-Contractors and/or Agents) comply with any notification requirements under the DPA and all Parties will duly observe all of their obligations under the DPA which arise in connection with this Contract.
30.3 The Provider shall not disclose Personal Data to any third parties other than:
30.3.1 to staff, Sub-Contractors and agents to whom such disclosure is reasonably necessary in order to perform the Agreement; or
30.3.2 to the Parties' rights and obligations extent required under this Framework Agreementa court order
30.4 Notwithstanding the general obligation in Clause 30.1, where the Parties agree that Provider is processing Personal Data as a Data Processor for the Authority is Customer the Data Controller and that the Supplier is the Data Processor.Provider shall:-
22.2 The Supplier shall:
22.2.1 30.4.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature Customer as set out in this Framework Agreement Contract or as otherwise notified by the Authority to the Supplier during the Term)Customer;
22.2.2 30.4.2 comply with all applicable laws;
30.4.3 Process the Personal Data only to the extent, and in such manner, manner as it is necessary for the provision of the Services or as is required by Law or any Regulatory BodyProvider's obligations under the Agreement;
22.2.3 30.4.4 implement appropriate technical and organisational measures to ensure the security of the Authorised Personal Data (and to guard against unauthorised or unlawful processing of the personal data) as required under the “Seventh Data Protection Principle” and protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 30.4.5 take all reasonable steps to ensure the reliability of any Supplier’s Staff its employees and agents who may have access to the Personal Data and use all reasonable endeavours to ensure that such persons have sufficient skills and training in the handling of Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 30.4.6 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) Provider shall not cause or permit to be Processed processed, stored, accessed and/or otherwise transferred outside the European Economic Area any Personal Data or other Personal Data supplied to it by LPP or the Authority or any Other Contracting Body without Customer, as the prior written consent of the Authority or Contracting Body concerned case may be, and, where LPP and/or the Authority or Other Contracting Body concerned Customer consents to Processing such processing, storage, access and/or transfer outside the European Economic Area, to shall comply with:
(i) with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection protection.
30.4.7 not disclose the Personal Data to any Personal Data that is transferredthird parties in any circumstances other than with the written consent of the Customer or in compliance with a legal obligation imposed upon the Customer; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 2 contracts
Samples: Dynamic Purchasing System Agreement, Dynamic Purchasing System Agreement
Data Protection. 22.1 With respect 19.1 Both Parties will comply with all applicable requirements of the Data Protection Legislation. This clause 19 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation.
19.2 In relation to Personal Data, both Parties shall at all times comply with the Data Protection Legislation as a data controller if necessary. Schedule 10 sets out the scope, nature and purpose of processing by the Parties, the duration of the processing and the types of Personal Data and categories of Data Subject.
19.3 The Parties shall only undertake processing of Personal Data reasonably required in connection with this Agreement and shall not transfer any Personal Data to any country or territory outside the EEA.
19.4 Without prejudice to the Parties' rights generality of clause 19.1, the Parties will ensure that they have all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the other Party for the duration and purposes of this Agreement.
19.5 Without prejudice to the generality of clause 19.1, the Parties shall, in relation to any Personal Data processed in connection with the performance of their obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the (a) process that Personal Data only in accordance with instructions from on the Authority (which may be specific instructions or documented written instructions of the other Party, unless required by Domestic Law to otherwise process that Personal Data. Where a general nature Party is relying on Domestic Law as set out in the basis for processing Personal Data, that Party shall promptly notify the other Party of this Framework Agreement or as otherwise notified before performing the processing required by Domestic Law unless the Authority to the Supplier during the Term)Domestic Law prohibits such notification;
22.2.2 Process the Personal Data only to the extent, and (b) ensure that it has in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement place appropriate technical and organisational measures (as defined in the Data Protection Legislation) to protect the Personal Data against unauthorised or unlawful Processing processing of Personal Data and against accidental lossloss or destruction of, destructionor damage to, damagePersonal Data, alteration or disclosure. These measures shall be appropriate to the harm which that might result from any the unauthorised or unlawful Processing, processing or accidental loss, destruction or damage and the nature of the data to the Personal Data and be protected, having regard to the nature state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data which is to can be protected;
22.2.4 take all reasonable steps to ensure restored in a timely manner after an incident, and regularly assessing and evaluating the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description effectiveness of the technical and organisational methods employed measures adopted by the Supplier for Processing Personal Data (within the timescales required by the Authorityit); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.;
Appears in 2 contracts
Samples: Inter Authority Agreement, Inter Authority Agreement
Data Protection. 22.1 With respect 1.1 The Introducer undertakes, without prejudice to the Parties' rights and obligations under other terms of this Framework Agreement, that:
1.1.1 it has at the Parties agree that date of this Agreement and shall at all times maintain, at its own cost, all necessary registrations under the Authority is DPA and/or notifications to the Data Controller Information Commissioner and that the Supplier is Introducer shall at all times comply with the Data Processor.
22.2 The Supplier shall:
22.2.1 Process provisions of the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term)DPA;
22.2.2 Process 1.1.2 the Personal Data Introducer shall only to the extentprocess personal data lawfully and after having taken, and in such mannercontinuing to take, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data guard against unauthorised or unlawful Processing processing of personal data and against accidental lossloss or destruction of, destructionor damage to, damagethe personal data. In doing so, alteration or disclosure. These measures the Introducer shall be provide a level of security appropriate to the harm which that might result from any unauthorised or unlawful Processing, processing or accidental loss, destruction or damage to the Personal Data personal data and also the nature of the personal data being protected and having regard to the nature state of technological development and to the Personal Data which is to be protectedcost of implementing such measures;
22.2.4 1.1.3 the Introducer shall promptly give BoS such access and assistance as BoS may reasonably request to confirm compliance by the Introducer with its obligations under this Agreement in relation to the personal data;
1.1.4 the Introducer shall at all times take all reasonable steps to ensure the reliability of any Supplier’s Staff those of its staff who have access to personal data with a view to ensuring compliance with the Personal Data;DPA; and
22.2.5 obtain prior Approval from 1.1.5 the Authority Introducer shall keep accurate and up-to-date records of the personal data.
1.2 The Introducer and BoS agree to use all reasonable endeavours to reach agreement on any change to the processing of personal data under this condition 1 which may be required in order to transfer comply with any enforcement notice served on either of them or in response to proceedings or enquiries from the Personal Data Information Commissioner’s Office in order to any Sub-Contractors avoid an enforcement notice being served or Affiliates for the provision of the Services;to ensure compliance with one.
22.2.6 1.3 The Introducer shall ensure that all Supplier Staff required persons (other than BoS) to whom any personal data relating to any Applicant is disclosed, or who have or may have access to personal data, maintain the Personal Data are informed confidentiality of the confidential nature of the Personal Data that personal data and comply with the obligations set out terms of this condition 1 as if references in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of condition 1 to the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access Introducer included references to that person's Personal Data; or.
(b) a complaint 1.4 The obligations accepted under or request relating pursuant to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is this condition 1 shall remain in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical force and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body effect without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out limit in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedtime.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 2 contracts
Samples: Client Banking Introducer Agreement, Client Banking Introducer Agreement
Data Protection. 22.1 23.1 With respect to the Partiesparties' rights and obligations under this Framework Agreementagreement, the Parties parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor. The Supplier‟s attention is hereby drawn to the Data Protection Requirements set out in clause 23.2 below. The Authority and the Supplier shall observe their obligations under the Data Protection Requirements.
22.2 23.2 The Supplier shall:
22.2.1 23.2.1 Process the Personal Data only in accordance with instructions from the Authority (which Authority(which may be specific instructions or instructions of a general nature as set out in this Framework Agreement Contract or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 23.2.2 Process the Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Development Services or as is required by Law law or any Regulatory Bodythe Information Commissioner;
22.2.3 23.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 23.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff Supplier Personnel who have access to the Personal Data;
22.2.5 23.2.5 obtain prior Approval written consent from the Authority in order to transfer the Personal Data to any Subsub-Contractors or Affiliates contractors for the provision of the Development Services;
22.2.6 23.2.6 ensure that all Supplier Staff Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)clause 23;
22.2.7 23.2.7 ensure that none of Supplier’s Staff the Supplier Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 23.2.8 notify the Authority within Authority(within five (5) Working Days or such other period as specified by the Authority (if any)) if it receives:
(a) 23.2.8.1 a request from a Data Subject to have access to that person's Personal Data; or
(b) 23.2.8.2 a complaint or request relating to the AuthorityCustomer's obligations under the Data Protection LegislationRequirements;
22.2.9 23.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) 23.2.9.1 providing the Authority with full details of the complaint or request;
(b) 23.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation Requirements and in accordance with the Authority's instructions;
(c) 23.2.9.3 providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the AuthorityCustomer); and
(d) 23.2.9.4 providing the Authority with any information requested by the AuthorityCustomer;
22.2.10 The Supplier shall:
(a) 23.2.10 permit the Authority or the Authority’s Authority‟s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Subsub-Contractorscontractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework AgreementContract;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 2 contracts
Samples: Software Development Agreement, Software Development Agreement
Data Protection. 22.1 With respect 20.1 The Parties acknowledge their respective duties under the DPA and shall give all reasonable assistance to each other where appropriate or necessary to comply with such duties.
20.2 To the Parties' rights and extent that the Lead is acting as a Data Processor (as such term is defined in the DPA) on behalf of the CCG / Council, the Lead shall, in particular, but without limitation:
20.2.1 only process such Personal Data as is necessary to perform its obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified any instruction given by the Authority to the Supplier during the Term)CCG / Council under this Agreement;
22.2.2 Process the Personal Data only to the extent, and 20.2.2 put in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement place appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processingprocessing of such Personal Data, and against the accidental loss, loss or destruction of or damage to the such Personal Data and having regard to the nature specific requirements in Clause 0 below, the state of technical development and the level of damages that may be suffered by a Data Subject (as such term is defined in the DPA) whose Personal Data which is to be protectedaffected by such unauthorised or unlawful processing or by its loss, damage or destruction;
22.2.4 20.2.3 take all reasonable steps to ensure the reliability of any Supplier’s Staff employees who will have access to the such Personal Data;, and ensure that such employees are aware of and trained in the policies and procedures identified in Clauses 0, 0 and 0 below; and
22.2.5 obtain prior Approval from the Authority in order to transfer the 20.2.4 not cause or allow such Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned andCCG / Council.
20.3 The Lead shall ensure that Personal Data is safeguarded at all times in accordance with the DPA and other relevant data protection legislation, which shall include without limitation the obligation to:
20.3.1 perform an annual information governance self-assessment;
20.3.2 have an information guardian able to communicate with the Joint Commissioning Board, who will take the lead for information governance and from whom the Joint Commissioning Board shall receive regular reports on information governance matters including details of all data loss and confidentiality breaches;
20.3.3 (where the Authority or Other Contracting Body concerned consents to Processing and/or transferred electronically) only transfer outside the European Economic Area, to comply with:essential data that is
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferrednecessary for direct Service User care; and
and (ii) any reasonable instructions notified encrypted to it by the Authority higher of the international data encryption standards for healthcare and the National Standards (this includes, but is not limited to, data transferred over wireless or Contracting Body concerned.wired networks, held on laptops, CDs, memory sticks and tapes);
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.20.3.4 have policies which are rigorously applied that describe individual personal responsibilities for handling Personal Data;
Appears in 2 contracts
Samples: Joint Commissioning Agreement, Agreement Under Section 75 of the National Health Service Act 2006 for the Joint Commissioning of Health & Social Care Services
Data Protection. 22.1 With respect 14.1 The CONTRACTOR’s attention is hereby drawn to the Parties' rights Data Protection Requirements. The CUSTOMER and the CONTRACTOR shall observe their obligations under the Data Protection Requirements.
14.2 Where the CONTRACTOR, pursuant to its obligations under this Framework AgreementContract, undertakes the Parties agree that Processing of Personal Data on behalf of the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier CUSTOMER, it shall:
22.2.1 Process 14.2.1 carry out the Processing of Personal Data only in accordance with instructions from the Authority CUSTOMER (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement Contract or as otherwise notified by the Authority CUSTOMER to the Supplier CONTRACTOR during the Term);
22.2.2 Process 14.2.2 carry out the Processing of Personal Data only to the extent, and in such manner, as it is necessary for the provision supply of the Ordered Goods and Ordered Services or as is required by Law or any Regulatory Body;
22.2.3 14.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 14.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff CONTRACTOR personnel who have access to the Personal Data;
22.2.5 14.2.5 obtain prior Approval written consent from the Authority CUSTOMER in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision supply of the Ordered Goods and Ordered Services;
22.2.6 14.2.6 ensure that all Supplier Staff any CONTRACTOR personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)14;
22.2.7 14.2.7 ensure that none of Supplier’s Staff the CONTRACTOR personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCUSTOMER;
22.2.8 14.2.8 notify the Authority CUSTOMER (within five (5) Working Days Days) if it receives:
(a) : a request from a Data Subject to have access to that person's ’s Personal Data; or
(b) or a complaint or request relating to the Authority's CUSTOMER’s obligations under the Data Protection LegislationRequirements;
22.2.9 14.2.9 provide the Authority CUSTOMER with full cooperation and assistance in relation to any complaint or request made, including by:
(a) : providing the Authority CUSTOMER with full details of the complaint or request;
(b) ; complying with a data access request within the relevant timescales set out in the Data Protection Legislation Requirements and in accordance with the Authority's CUSTOMER’s instructions;
(c) ; providing the Authority CUSTOMER with any Personal Data it holds in relation to a Data Subject (within the timescales required by the AuthorityCUSTOMER); and
(d) and providing the Authority CUSTOMER with any information requested by the AuthorityCUSTOMER;
22.2.10 The Supplier shall:
(a) 14.2.10 permit the Authority CUSTOMER or the Authority’s Representative its representatives (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, audit the Supplier's CONTRACTOR’s data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority CUSTOMER to enable the Authority CUSTOMER to verify and/or procure that the Supplier CONTRACTOR is in full compliance with its obligations under this Framework AgreementContract;
(b) 14.2.11 provide a written description of the technical and organisational methods employed by the Supplier CONTRACTOR for Processing Personal Data (within the timescales required by the AuthorityCUSTOMER); and
(c) 14.2.12 not cause or permit to be Processed and/or otherwise transferred undertake the Processing of Personal Data outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned CUSTOMER and, where the Authority or Other Contracting Body concerned CUSTOMER consents to Processing and/or transfer outside the European Economic Areaa transfer, to comply with:
(i) : the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) and any reasonable instructions notified to it by the Authority or Contracting Body concernedCUSTOMER.
22.2.11 14.3 The Supplier CONTRACTOR shall comply at all times with the Data Protection Legislation Requirements and shall not perform its obligations under this Framework Agreement Contract in such a way as to cause the Authority CUSTOMER to breach any of its applicable obligations under the Data Protection LegislationRequirements.
14.4 The CUSTOMER may from time to time serve on the CONTRACTOR an information notice requiring the CONTRACTOR within such time and in such form as is specified in the information notice, to furnish to the CUSTOMER such information as the CUSTOMER may reasonably require relating to:
14.4.1 compliance by the CONTRACTOR with the CONTRACTOR’s obligations under this Contract in connection with the Processing of Personal Data; and/or
14.4.2 the rights of Data Subjects, including but not limited to subject access rights.
14.5 The CONTRACTOR will allow its data Processing facilities, procedures and documentation to be submitted for scrutiny by the CUSTOMER or its auditors in order to ascertain compliance with the relevant laws of the United Kingdom and the terms of this Contract.
14.6 With respect to the parties’ rights and obligations under this Contract, the parties acknowledge that, except where otherwise agreed, the CUSTOMER is the Data Controller and the CONTRACTOR is the Data Processor. Where the CONTRACTOR wishes to appoint, in accordance with the provisions of Clause 26, a Sub-Contractor to assist it in providing the Ordered Goods and Ordered Services and such assistance includes the Processing of Personal Data on behalf of the CUSTOMER, then, subject always to compliance by the CONTRACTOR with the provisions of Clause 26 relating to the appointment of Sub-Contractors, the CUSTOMER hereby grants to the CONTRACTOR a delegated authority to appoint on the CUSTOMER’s behalf such Sub-Contractor to undertake the Processing of Personal Data provided that the CONTRACTOR shall notify the AUTHORITY in writing of such appointment and the identity and location of such Sub-Contractor. The CONTRACTOR warrants that such appointment shall be on substantially the same terms with respect to Data Protection Requirements as are set out in this Contract, including the terms set out in Clause 14.2. Any Sub-Contractor appointed under the provisions of this Clause 14.6 shall, for the purposes of Schedule 2-8, be regarded as a principal Sub-Contractor and shall be specified in Table 1 of Schedule 2-8.
14.7 Save as set out in this Clause 14, any unauthorised Processing, use or disclosure of Personal Data by the CONTRACTOR is strictly prohibited.
14.8 The CONTRACTOR shall be liable for and shall indemnify (and keep indemnified) the CUSTOMER against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and disbursements on a solicitor and client basis) and demands incurred by the CUSTOMER which arise directly or in connection with the CONTRACTOR’s data Processing activities under this Contract, including without limitation those arising out of any third party demand, claim or action, or any breach of contract, negligence, fraud, wilful misconduct, breach of statutory duty or non-compliance with any part of the Data Protection Requirements by the CONTRACTOR or its employees, servants, agents or Sub- Contractors.
Appears in 2 contracts
Data Protection. 22.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Both Parties agree that the Authority is will comply with all applicable requirements of the Data Controller and that the Supplier Protection Legislation. This Clause 21 is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extentaddition to, and in such mannerdoes not relieve, as it necessary for the provision of the Services remove or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental lossreplace, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the AuthorityParty's obligations under the Data Protection Legislation. Without prejudice to the generality of Clause 21.1, Client shall:
21.3.1 ensure that it or (where applicable) the relevant Data Controller has all necessary appropriate consents and notices in place to enable the Processing of the Personal Data by CSI for the duration and purposes of this agreement;
22.2.9 provide 21.3.2 ensure that any Personal Data that it or (where applicable) the Authority relevant Data Controller provides is lawfully disclosed or provided to CSI;
21.3.3 not cause CSI to be in breach of the Data Protection Legislation;
21.3.4 ensure that any instructions provided to CSI regarding the Processing of Personal Data are lawful and shall, at all times, be in accordance with full cooperation Data Protection Legislation;
21.3.5 accept that it has sole responsibility for the technical and assistance organisational measures employed in the Client’s Environments (except where expressly stated as the responsibility of CSI in an Order) and shall maintain any appropriate measures (including any reasonable measures recommended by CSI) in respect of the security of the Personal Data, which may include the pseudonymisation and encryption of the Personal Data; and
21.3.6 ensure that the Personal Data shall not include any Sensitive Personal Data (as defined in the Data Protection Legislation) without first agreeing additional data protection and information security controls with CSI. Without prejudice to the generality of Clause 21.1, CSI shall, in relation to any complaint Personal Data Processed in connection with the performance by CSI of its obligations under this agreement:
21.4.1 Process that Personal Data only on the written instructions of the Client unless CSI is required by Applicable Laws to Process Personal Data. Where CSI is relying on Applicable Laws as the basis for Processing Personal Data, CSI shall promptly notify the Client of this before performing the Processing required by the Applicable Laws unless those Applicable Laws prohibit CSI from so notifying the Client;
21.4.2 ensure that it has in place the technical and organisational measures set out in Schedule 2 to protect against unauthorised or request madeunlawful Processing of Personal Data and against accidental loss or destruction of, including byor damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful Processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, ensuring the pseudonymisation, encryption, confidentiality, integrity, availability and resilience of its systems and services, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
21.4.3 ensure that all Personnel, suppliers and sub-contractors who have access to and/or Process the Personal Data are obliged to keep the Personal Data confidential;
21.4.4 not transfer or Process any Personal Data outside of the European Economic Area unless the prior written consent of the Client has been obtained and the following conditions are fulfilled:
(a) providing the Authority with full details of Client or CSI has provided appropriate safeguards in relation to the complaint or requesttransfer;
(b) complying with a data access request within the relevant timescales Data Subjects have enforceable rights and effective legal remedies as set out in the Data Protection Legislation and in accordance with the Authority's instructionsLegislation;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance CSI complies with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(iid) any CSI complies with reasonable instructions notified to it in advance by the Client with respect to the Processing of the Personal Data;
21.4.5 promptly inform Client on, and in any event within five (5) Business Days of, receipt of any communication from a Data Subject, Supervisory Authority or Contracting Body concerned.authorised third party regarding the Processing of Client Data;
22.2.11 The Supplier shall comply at all times with 21.4.6 if a Data Subject exercises any of its rights under the Data Protection Legislation (including rights of access, correction, blocking, suppression or deletion as are available to such individual) CSI shall, at Client’s cost, promptly provide reasonable assistance in the provision of such information related to the CSI’s Processing as Client reasonably requires;
21.4.7 assist Client in responding to any request from a Data Subject and shall not perform in ensuring compliance with its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with Supervisory Authorities and/or regulators and CSI shall be entitled to levy an additional charge on the Client for its reasonable time and effort utilised in providing such prompt cooperation and assistance as well as any costs and expenses incurred where any assistance provided is outside the scope of the Managed Services and Services;
21.4.8 promptly co-operate with all reasonable requests or directions arising directly from, or in connection with the exercise of its powers by a Supervisory Authority;
21.4.9 notify the Client without undue delay, and in any event within forty eight (48) hours, on becoming aware of a known or suspected Personal Data Breach and/or shall provide Client with all reasonable assistance in providing information for and in the reporting of a Personal Data Breach to the relevant Supervisory Authority;
21.4.10 notify Client if any instructions of the Client shall, to the knowledge of CSI, infringe Data Protection Legislation;
21.4.11 at the written direction of the Client, delete or return the Personal Data and copies thereof to the Client on request, and in any event on expiry or termination of an applicable Order or expiry or termination of this agreement unless required by Applicable Law to store the Personal Data; and
21.4.12 maintain complete and accurate records of Processing and other appropriate information to demonstrate its compliance with this Clause 21;
21.4.13 CSI shall allow for and contribute to audits, including inspections, conducted by the Client, the Client’s customers or another independent auditor proposed by the Client and approved by CSI, for the purpose of demonstrating compliance by CSI and with their obligations under this Clause 21 provided that the Client gives CSI reasonable prior notice of such audit and/or inspection and they are limited to no more than once per annum unless (i) otherwise agreed by CSI or (ii) if CSI has been found to be in breach of this Clause 21 within the previous twelve (12) months and Client wishes to confirm that CSI is now compliant. CSI shall be entitled to levy an additional charge on the Client for its reasonable time and effort utilised in providing such contribution and assistance as well as any costs and expenses incurred for additional audits over the once per annum except where CSI has been found to be in breach of this Clause 21 within the previous twelve (12) months. The Client consents to CSI appointing any third parties notified to the Client as a third- party processor to Process Personal Data (“Sub-processors”) under this agreement. CSI confirms that it has entered into, or (as the case may be) will use its reasonable endeavours to enter into a written agreement incorporating terms which are substantially similar to and as far as reasonably possible on terms that are no less onerous than those set out in this Clause 21. As between the Client and the CSI, CSI shall remain fully liable for all acts or omissions of any Sub-processors appointed by it pursuant to this Clause 21. CSI shall promptly notify Client in writing of any loss or damage to the Client Data. In the event of any loss or damage to Client Data, Client's sole and exclusive remedy shall be for CSI to use reasonable commercial endeavours to restore the lost or damaged Client Data from the latest backup of such Client Data. CSI shall not be responsible for any loss, destruction, alteration or unauthorised disclosure of Client Data caused by any third party (except those third parties subcontracted by CSI to perform services related to Client Data maintenance and back-up) nor for the security or integrity of any Client Personal Data during its transmission via public telecommunications facilities, the Internet or similar.
21.7.1 the Parties shall execute and shall comply with the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), in the form set out in Schedule 7 to this agreement; and
21.7.2 the Parties agree that CSI shall be entitled to levy such additional charges costs and expenses in respect of its assistance and cooperation as provided for under Clause 21.4. Each party (the “Indemnifying Party”) shall indemnify the other party (the “Indemnified Party”) against:
21.8.1 all claims, liabilities, costs, expenses, damages and losses (including but not limited to all reasonable professional costs and expenses) (“Losses”) suffered or incurred by the Indemnified Party arising out of or in connection with: a Personal Data Breach, any claim by a third party (including but not limited to a Data Subject) or any failure by the Indemnifying Party to comply with its obligations under this Clause 21; and
21.8.2 all penalties, awards, fines which are imposed upon by a Supervisory Authority, except to the extent that such Losses have arisen out of or in connection with any negligence or wilful default of the Indemnified Party or any breach by the Indemnified Party of its obligations under this Clause 21 (Data Protection).
Appears in 2 contracts
Samples: Framework Agreement, Framework Agreement
Data Protection. 22.1 With respect to the Parties' rights 23.1 The AUTHORITY recognises, understands, and obligations under this Framework Agreementagrees that CONTRACTOR is not subject to, the Parties agree that the Authority is the and therefore does not comply with United Kingdom Data Controller and that the Supplier is the Data ProcessorProtection Legislation.
22.2 23.2 The Supplier CONTRACTOR shall:
22.2.1 23.2.1 Process the Personal Data only in accordance with instructions from the Authority AUTHORITY or as reasonably necessary to perform the Services (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement Contract or as otherwise notified by the Authority AUTHORITY to the Supplier CONTRACTOR during the Term);
22.2.2 23.2.2 Process the Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Services or as is required by Law applicable law or any Regulatory Bodyregulation;
22.2.3 implement appropriate 23.2.3 Implement commercially reasonable technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 23.2.4 obtain prior Approval written consent from the Authority AUTHORITY in order to transfer the Personal Data to any Sub-Contractors or Affiliates for to meet its obligations under this Contract and, where such Personal Data is transferred the provision CONTRACTOR shall:
i. provide only the minimum Personal Data necessary; and
ii. Require the Sub CONTRACTOR to provide an adequate level of the Services;protection to any Personal Data that is transferred.
22.2.6 ensure 23.2.5 Ensure that all Supplier Contractors’ Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)Condition;
22.2.7 23.2.6 ensure that none of SupplierCONTRACTOR’s Staff personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityAUTHORITY or as necessary to perform the Services;
22.2.8 23.2.7 notify the Authority AUTHORITY reasonably promptly (and within five (5ten Working Days) Working Days if it receives:
(a) i. a request from a Data Subject to have access to that person's Personal Data; or
(b) a ii. A complaint or request relating to the Authority's AUTHORITY’s obligations under the any Data Protection Legislation;
22.2.9 provide 23.2.8 Provide the Authority AUTHORITY with full reasonable cooperation and assistance in relation to any complaint or request made, including by:
(a) i. providing the Authority AUTHORITY with full details of the complaint or request;
(b) ii. complying with a data access request within a reasonable timeframe of the relevant timescales set out request, making commercially reasonable efforts to respond in time to allow the Data Protection Legislation and in accordance with the Authority's instructionsAUTHORITY adequate time to respond to any such complaint or request;
(c) providing iii. Providing the Authority AUTHORITY with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authoritya reasonable timeframe); and
(d) providing iv. Providing the Authority AUTHORITY with any information reasonably requested by the AuthorityAUTHORITY that relates to the AUTHORITY;
22.2.10 The Supplier shall:
(a) permit 23.2.9 provide the Authority AUTHORITY or the AuthorityAUTHORITY’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect with appropriate assurances, evidences and audit, explanations of the Supplier's CONTRACTOR’s data Processing activities (and/or those of its agents, subsidiaries and and, to the extent CONTRACTOR has the right, any Sub-Contractorscontractors, who process the AUTHORITY’s Personal Data) and comply with all reasonable requests or directions by the Authority AUTHORITY to enable the Authority AUTHORITY to verify and/or procure that the Supplier CONTRACTOR is in full compliance with its obligations under this Framework AgreementContract;
(b) 23.2.10 provide a written description of the technical and organisational methods employed by the Supplier CONTRACTOR for Processing processing Personal Data (within the timescales required a reasonable timeframe from a request by the AuthorityAUTHORITY); and
(c) 23.2.11 not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Process Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned AUTHORITY unless necessary to meet its obligations under this Contract and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic AreaPersonal Data is processed, to comply withto:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing i. provide an adequate level of protection to any Personal Data that is transferredto be processed; and
(ii) . Endeavour to comply, to the extent commercially reasonable, with any reasonable instructions notified to it by the Authority or Contracting Body concernedAUTHORITY.
22.2.11 23.3 The Supplier CONTRACTOR shall comply at all times with indemnify and keep indemnified, the Data Protection Legislation and shall not perform AUTHORITY fully against any financial penalties caused directly by (1) the breach by the CONTRACTOR or its obligations under this Framework Agreement in such a way as to cause the Authority to breach Staff of any of the provisions of this Condition 23 (Data Protection), or (2) any misuse, loss or unauthorised use or disclosure by the CONTRACTOR or its applicable obligations under Staff of any Personal Data relating to any person, except and to the extent that such financial penalties were caused or contributed to by the AUTHORITY. The indemnity provided by this Section 23.3 shall be subject to the limits set forth herein in Section 17.
23.4 Notwithstanding the foregoing, the CONTRACTOR shall be permitted to disclose Personal Data Protection Legislationin connection with soliciting bids from Insurance Carriers as outlined in Part IV – Specification (Services Scope), provided the CONTRACTOR provides only the minimum Personal Data necessary and informs each Insurance Carrier of the confidential nature of the Personal Data.
Appears in 2 contracts
Samples: Security Guarding Services Agreement, Security Guarding Services Agreement
Data Protection. 22.1 With respect 20.1 The Parties acknowledge their respective duties under the DPA and shall give all reasonable assistance to each other where appropriate or necessary to comply with such duties.
20.2 To the Parties' rights and extent that the Lead Commissioner is acting as a Data Processor (as such term is defined in the DPA) on behalf of the other Party, the Lead Commissioner shall, in particular, but without limitation:
20.2.1 only process such Personal Data as is necessary to perform its obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified any instruction given by the Authority to the Supplier during the Term)other Party under this Agreement;
22.2.2 Process the Personal Data only to the extent, and 20.2.2 put in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement place appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processingprocessing of such Personal Data, and against the accidental loss, loss or destruction of or damage to the such Personal Data and having regard to the nature specific requirements in Clause 20.2.3 below, the state of technical development and the level of damages that may be suffered by a Data Subject (as such term is defined in the DPA) whose Personal Data which is to be protectedaffected by such unauthorised or unlawful processing or by its loss, damage or destruction;
22.2.4 20.2.3 take all reasonable steps to ensure the reliability of any Supplier’s Staff employees who will have access to the such Personal Data;, and ensure that such employees are aware of and trained in the policies and procedures identified in Clauses 20.3.3 - 20.3.5 below; and
22.2.5 obtain prior Approval from the Authority in order to transfer the 20.2.4 not cause or allow such Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned andother Party.
20.3 The Lead Commissioner shall ensure that Personal Data is safeguarded at all times in accordance with the DPA and other relevant data protection legislation, where which shall include without limitation the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply withobligation to:
20.3.1 Will comply with statutory requirements regarding information governance self-assessments;
20.3.2 have an information guardian able to communicate with the Joint Commissioning Board, who will take the lead for information governance and from whom the Joint Commissioning Board shall receive regular reports on information governance matters including details of all data loss and confidentiality breaches;
20.3.3 (where transferred electronically) only transfer essential data that is (i) necessary for direct Service User care; and (ii) encrypted to the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 higher of the Data Protection Act 1998 by providing an adequate level of protection to any international data encryption standards for healthcare and the National Standards (this includes, but is not limited to, data transferred over wireless or wired networks, held on laptops, CDs, memory sticks and tapes);
20.3.4 have policies which are rigorously applied that describe individual personal responsibilities for handling Personal Data;
20.3.5 have agreed protocols for sharing Personal Data that is transferredwith other NHS organisations and non-NHS organisations; and
(ii) 20.3.6 have a system in place and a policy for the recording of any reasonable instructions notified telephone calls, where appropriate, in relation to it by the Authority or Contracting Body concernedServices, including the retention and disposal of such recordings.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 2 contracts
Samples: Agreement Under Section 75 of the National Health Service Act 2006 for the Joint Commissioning of Health & Social Care Services, Agreement Under Section 75 of the National Health Service Act 2006 for the Joint Commissioning of Health & Social Care Services
Data Protection. 22.1 With respect to 19.1 The Parties acknowledge that for the Parties' rights and obligations under this Framework Agreementpurposes of the Data Protection Legislation, the Parties agree that the Authority Purchaser is the Data Controller and the Supplier is the Processor. The only processing that the Supplier is authorised to do is listed in Schedule 4 by the Purchaser and may not be determined by the Supplier.
19.2 The Supplier shall notify the Purchaser immediately if it considers that any of the Purchaser's instructions infringe the Data ProcessorProtection Legislation.
22.2 19.3 The Supplier shall provide all reasonable assistance to the Purchaser in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Purchaser, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Care Service;
(c) an assessment of the risks to the rights and freedoms of data subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
19.4 The Supplier shall, in relation to any Personal Data processed in connection with its obligations under this Contract:
22.2.1 Process the (a) process that Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to Schedule 4, unless the Supplier during is required to do otherwise by Law. If it is so required the Term);
22.2.2 Process Supplier shall promptly notify the Purchaser before processing the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required unless prohibited by Law or any Regulatory BodyLaw;
22.2.3 implement (b) ensure that it has in place Protective Measures, which have been reviewed and approved by the Purchaser as appropriate technical and organisational measures to protect the Personal against a Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and Loss Event having regard to the taken account of the:
(i) nature of the Personal Data which is data to be protected;
22.2.4 take (ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(c) ensure that :
(i) the Supplier personnel do not process Personal Data except in accordance with this Contract (and in particular Schedule 4);
(ii) it takes all reasonable steps to ensure the reliability and integrity of any Supplier’s Staff Supplier personnel who have access to the Personal DataData and ensure that they:
(A) are aware of and comply with the Supplier’s duties under this condition;
22.2.5 obtain prior Approval from (B) are subject to appropriate confidentiality undertakings with the Authority in order to transfer the Personal Data to Supplier or any Sub-Contractors or Affiliates for the provision of the Servicesprocessor;
22.2.6 ensure that all Supplier Staff required to access the Personal Data (C) are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff do not publish, disclose or divulge any of the Personal Data to any third party Party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:Purchaser or as otherwise permitted by this Contract; and
(aD) a request from a Data Subject to have access to that person's undergone adequate training in the use, care, protection and handling of Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description not transfer Personal Data outside of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without EU unless the prior written consent of the Authority or Contracting Body concerned and, where Purchaser has been obtained and the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply withfollowing conditions are fulfilled:
(i) the Purchaser or the Supplier has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Purchaser;
(ii) the Data Subject has enforceable rights and effective legal remedies;
(iii) the Supplier complies with its obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 Legislation by providing an adequate level of protection to any Personal Data that is transferredtransferred (or, if it is not so bound, uses its best endeavours to assist the Purchaser in meeting its obligations); and
(iiiv) the Supplier complies with any reasonable instructions notified to it in advance by the Authority Purchaser with respect to the processing of the Personal Data;
(e) at the written direction of the Purchaser, delete or Contracting Body concernedreturn Personal Data (and any copies of it) to the Purchaser on termination of this Contract unless the Supplier is required by law to retain the Personal Data.
22.2.11 The 19.5 Subject to condition 19.6, the Supplier shall comply at all times with notify the Purchaser immediately if it:
(a) receives a Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such Subject Access Request (or purported Data Subject Access Request);
(b) receives a way as request to cause the Authority rectify, block or erase any Personal Data;
(c) receives any other request, complaint or communication relating to breach any of its applicable either Party's obligations under the Data Protection Legislation;
(d) receives any communication from the Information Commissioner or any other regulatory Authority in connection with Personal Data processed under this Contract;
(e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by law; or
(f) becomes aware of a Data Loss Event.
19.6 The Supplier’s obligation to notify under condition 19.5 shall include the provision of further information to the Purchaser in phases, as details become available.
19.7 Taking into account the nature of the processing, the Supplier shall provide the Purchaser with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under condition 19.5 (and insofar as possible within the timescales reasonably required by the Purchaser) including by promptly providing:
(a) the Purchaser with full details and copies of the complaint, communication or request;
(b) such assistance as is reasonably requested by the Purchaser to enable the Purchaser to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
(c) the Purchaser, at its request, with any Personal Data it holds in relation to a Data Subject;
(d) assistance as requested by the Purchaser following any Data Loss Event;
(e) assistance as requested by the Purchaser with respect to any request from the Information Commissioner’s Office, or any consultation by the Purchaser with the Information Commissioner's Office.
19.8 The Supplier shall maintain complete and accurate records and information to demonstrate its compliance with this condition. This requirement does not apply where the Supplier employs fewer than 250 staff, unless:
(a) the Purchaser determines that the processing is not occasional;
(b) the Purchaser determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and
(c) the Purchaser determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
19.9 The Supplier shall allow for audits of its Data Processing activity by the Purchaser or the Purchaser’s designated auditor.
19.10 The Supplier shall designate a data protection officer if required by the Data Protection Legislation .
19.11 Before allowing any Sub-processor to process any Personal Data related to this Contract, the Supplier must:
(a) notify the Purchaser in writing of the intended Sub-processor and processing;
(b) obtain the written consent of the Purchaser;
(c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this condition 19 such that they apply to the Sub-processor; and
(d) provide the Purchaser with such information regarding the Sub-processor as the Purchaser may reasonably require.
19.12 The Supplier shall remain fully liable for all acts or omissions of any Sub-processor.
19.13 The Purchaser may, at any time on not less than 30 Working Days’ notice, revise this condition by replacing it with any applicable controller to processor standard conditions or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Contract).
19.14 The parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Purchaser may on not less than 30 Working Days’ notice to the Supplier amend this Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
Appears in 2 contracts
Samples: Contract for Adult Care Services, Contract for Adult Care Services
Data Protection. 22.1 With respect to 12.1. For the Parties' rights and obligations under purposes of this Framework Agreementclause 12, the Parties agree that terms “controller”, “data controller”, “processor”, “data processor”, “data subject”, “personal data”, “processing” and “appropriate technical and organisational measures” shall have the Authority is meanings given to them in the Data Controller and that Protection Legislation in force at the Supplier is the Data Processorrelevant time.
22.2 The Supplier shall:12.2. This clause 12 sets out the framework for the sharing of personal data between the parties. For the purposes of this framework the parties (being in this context, Sedex, each of the Members and each Affiliate Audit Company) anticipate that they are data controllers in common (each a “Data Controller”).
22.2.1 Process 12.3. Each Data Controller acknowledges that it may disclose personal data of data subjects in the categories described in Schedule 1 (“Shared Personal Data”). Each Data Controller acknowledges and agrees that such Shared Personal Data shall be disclosed only to parties and Users (“Data Recipients”) in accordance with instructions from the Authority (which may be specific instructions course of providing or instructions of a general nature receiving the Services and/or undertaking the Member and Affiliate Audit Company activities as set out in this Framework Agreement and as more particularly described in Schedule 1 (“Agreed Purposes”).
12.4. Each Data Controller shall comply with all the obligations imposed on a data controller under the Data Protection Legislation and shall:
12.4.1. ensure that all necessary notices are provided and consents obtained to enable lawful processing and sharing of any Shared Personal Data by and with the Data Recipients including, where necessary and appropriate, their responsible employees, consultants, professional advisers, sub-contractors or as otherwise notified suppliers and any third parties engaged by the Authority them to the Supplier during the Termperform obligations in connection with this Agreement (“Permitted Recipients”);
22.2.2 Process 12.4.2. ensure that Shared Personal Data are adequate, relevant and not excessive;
12.4.3. ensure that Shared Personal Data are accurate, and where necessary, kept up to date;
12.4.4. give all such notices (as may be required by the Data Protection Legislation from time to time) to any data subject whose personal data may be processed under this Agreement of the nature of such processing and such notices must be sufficient to permit the Data Controllers to process personal data respectively in order to exercise their rights and comply with their obligations under the Agreement. This includes giving notice that, on the termination of this Agreement, personal data relating to them may be retained by or, as the case may be, transferred to one or more of the Permitted Recipients, their successors and assignees;
12.4.5. process the Shared Personal Data only for the Agreed Purposes;
12.4.6. not disclose or allow access to the extentShared Personal Data to anyone other than the Permitted Recipients (other than as required by law);
12.4.7. ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less onerous than those imposed by this Agreement;
12.4.8. unless prohibited by law, and in such manner, as if it necessary for the provision is obliged to make a disclosure by law of the Services or as is required by Law or any Regulatory Body;Shared Personal Data, shall notify the other relevant Data Controller(s), such notification to be made in advance of such disclosure or, (if not reasonably practicable) immediately thereafter.
22.2.3 implement 12.4.9. ensure that it has in place appropriate technical and organisational measures measures, to protect the Personal Data against unauthorised or unlawful Processing processing of personal data and against accidental lossloss or destruction of, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to, personal data;
12.4.10. subject to the clause 12.5, not transfer any Shared Personal Data and having regard to outside the nature of European Economic Area unless the Personal transferor, as Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receivesController ensures that:
(ai) the transfer is to a request from a Data Subject country approved by the European Commission as providing adequate protection pursuant to have access to that person's Personal DataArticle 45 of the GDPR; or
(bii) a complaint or request relating there are appropriate safeguards in place pursuant to Article 46 of the GDPR; or
(iii) one of the derogations for specific situations in Article 49 of the GDPR applies to the Authority's transfer.
12.5. Sedex, the Members and/or Affiliate Audit Companies as Data Controllers acknowledge that in providing or using the Sedex Platform, they may make international transfers of personal data or receive personal data as a result of such transfers. With the intention of meeting their compliance obligations under the Data Protection Legislation, Sedex, the Members and/or Affiliate Audit Companies, having regard to the practicalities of the operation of the Sedex Platform, as Data Controllers agree as follows:
12.5.1. For the purposes of clauses 12.5.2 and 12.5.3 a transfer means any transfer of personal data relevant to the Agreement from the European Economic Area (to a third country or international organisation, where such third country or international organisation is not approved by the European Commission as providing adequate protection pursuant to Article 45 of the GDPR or does not otherwise have in place an agreement allowing for the transfer of personal data to it; and
12.5.2. any transfer of personal data relevant to the Agreement from the UK to a third country or international organisation, where such third country or international organisation is not approved by the Secretary of State of the United Kingdom as providing adequate protection pursuant to Data Protection Legislation or does not otherwise have in place an agreement allowing for the transfer of personal data to it to outside the European Economic Area (each or any being a “Transfer”);
22.2.9 provide 12.5.3. In respect of any Transfer between Sedex, and any Member or Affiliate Audit Company entering into this Agreement, each as Data Controller agrees to be bound by the Authority EU Model Clauses and/or any such Applicable UK Clauses as are relevant to the Transfer, and agrees to comply with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing those clauses at their own cost. For the Authority with full details purposes of the complaint or requestEU Model Clauses, and/or the Applicable UK Clauses, the transferor of the said personal data shall be the Data Exporter and the transferee of any personal data shall be the Data Importer;
12.5.4. In respect of any Transfer between any Member or Affiliate Audit Company, and any other Member, or Affiliate Audit Company, each as Data Controller agrees that by agreeing to receive or access any data across the Sedex Platform, they will be bound by the EU Model Clauses and/or any Applicable UK Clauses (bas if they had executed them) as are relevant to the Transfer, and agrees to comply with those clauses at their own cost. For the purpose of such clauses, the Data Controller providing access to the personal data is the Data Exporter and the recipient of the personal data is the Data Importer;
12.5.5. In respect of international transfers of personal data for which the EU Model Clauses or the Applicable UK Clauses may not provide appropriate safeguards or ensure compliance with the Data Protection Legislation, each Data Controller shall take any steps required to comply with Data Protection Legislation, which may include entering into Applicable Clauses;
12.5.6. Any party shall timeously (at its own expense) do all such things, execute and deliver all such documents, and, or procure the doing of such things, execution of documents as are required to comply with the relevant Data Protection Legislation in respect of such international transfers of personal data.
12.5.7. Notwithstanding the foregoing, each Member or Affiliate Audit Company as Data Controller acknowledges that it is responsible for ensuring compliance with Data Protection Legislation and has the right to make any further arrangements it deems appropriate to ensure compliance in respect of such Transfers or any other international transfers of personal data.
12.6. Each party shall assist the other party or parties in complying with a data access request within the relevant timescales set out in all applicable requirements of the Data Protection Legislation and in accordance respect of the Agreement. In particular (without limitation), each Data Controller shall: • consult with the Authority's instructions;
(cother Data Controller(s) providing the Authority with about any Personal Data it holds notices given to data subjects in relation to a Data Subject the Shared Personal Data; • promptly inform the other party about the receipt of any data subject access request in relation to the Shared Personal Data, unless prohibited by law; • provide the other party with reasonable assistance (within at the timescales required by cost of the Authority; and
(dother party) providing the Authority in complying with any information requested by data subject access request; • not disclose or release any Shared Personal Data in response to a data subject access request without (wherever possible or lawful to do so) first consulting the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject other party and reasonably taking into account their views; • in relation to the reasonable Shared Personal Data assist the other party, at the cost of the other party, in responding to any request from a data subject and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full ensuring compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level Legislation including those relating to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; • notify the other party promptly of protection any complaints received from data subjects or threatened proceedings relating to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times compliance with the Data Protection Legislation in respect of the Shared Personal Data. • notify the other party without undue delay (and shall not perform in the case of a data security breach within 48 hours) on becoming aware of any breach of the Data Protection Legislation concerning the Shared Personal Data; • use compatible technology for the processing of Shared Personal Data to ensure that there is no lack of accuracy resulting from personal data transfers; • maintain complete and accurate records and information to demonstrate its obligations under compliance with this Framework Agreement clause 12; and • provide the other party with contact details of at least one employee as point of contact and responsible manager for all issues arising out of the Data Protection Legislation, including the training of relevant staff, the procedures to be followed in such the event of a way as to cause data security breach, and the Authority to breach any regular review of its applicable obligations under the parties' compliance with the Data Protection Legislation.
12.7. Members and Affiliate Audit Companies hereby agree that: • Sedex may use any data, information, statistics or other related information deduced from the Shared Personal Data which is anonymised or pseudonymised for its own purposes and at its sole discretion, provided such use is not in breach of Data Protection Legislation (“Anonymised Data”); and • the Anonymised Data and any further information created, derived or generated from it shall be the sole and exclusive property of Sedex.
12.8. The parties agree that Sedex, will have permission to share anonymous and aggregated data extracted from the Data and covering, amongst other things, sector issues, regional or sector risk profiles, trade processes and other relevant information, to the extent no Member, Affiliate Audit Company, End User or worker may be identified as a result.
Appears in 2 contracts
Samples: Terms of Service, Terms of Service
Data Protection.
22.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Supplier Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates Affiliated Company for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)22;
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Samples: Courier Services Framework Agreement
Data Protection. 22.1 With 32.1. The Parties agree that with respect to the Parties' their rights and obligations under this Framework Agreement, Agreement and for the Parties agree purposes of the Data Protection Legislation that the Authority Client is the “Data Controller Controller” and that the Supplier ILLY is the “Data Processor” to the extent that it is providing an Application Hosting service for the licensed software on the ASP Infrastructure.
22.2 The Supplier 32.2. ILLY shall:
22.2.1 Process 32.2.1. only undertake processing of “Personal Data” (as defined in the Personal Data only Protection Legislation) in accordance with the Client’s policies, including - but not limited to - data protection, information security and retention of personal data and instructions from the Authority Client (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority Client to the Supplier ILLY during the Term);
22.2.2 Process the 32.2.2. only undertake processing of Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Services Services, or as is required by Law law or any Regulatory Bodyregulatory body with the necessary jurisdiction;
22.2.3 32.2.3. implement appropriate technical and organisational measures Protective Measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental lossany Data Loss Event Data Protection Legislation, destruction, damage, alteration or disclosure. These provided that such measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data Loss Event and having regard to to: the nature and sensitivity of the Personal Data which is to be protected; the state of technological development and the cost of implementing any measures;
22.2.4 32.2.4. take all reasonable steps to ensure the reliability of any Supplier’s Staff of its Personnel who have access to the Personal Data, including carrying out adequate security checks on those Personnel;
22.2.5 obtain prior Approval from the Authority in order 32.2.5. ensure that all of its Personnel who legitimately require access to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data carry out their duties are informed of the confidential nature of the Personal Data Data, are subject to appropriate confidentiality undertakings and comply with the obligations set out in this Clause 22 (Data Protection)section;
22.2.7 32.2.6. ensure that none of Supplier’s Staff its Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityClient;
22.2.8 32.2.7. not transfer the Personal Data to any Personnel involved in the provision of the Services without first obtaining the written consent of the Client;
32.2.8. notify the Authority Client without undue delay and in any event within five (5) Working Days 24 hours if it receivesit:
(a) receives a request from a Data Subject any individual to have access to that person's their Personal Data; or;
(b) receives a request to rectify, block or erase any Personal Data;
c) receives any other request, complaint or request communication relating to the Authorityeither Party's obligations under the Data Protection Legislation;
22.2.9 d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement;
e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
f) becomes aware of a Data Loss Event. ILLY's obligation to notify under clause 32.2.8 shall include the provision of further information to the Client in phases, as details become available.
32.2.9. provide the Authority Client with full cooperation and assistance in relation to any complaint or request mademade in relation to the Personal Data, including (without limitation) by:
(a) providing the Authority Client with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's Client’s instructions;
(c) providing the Authority Client with any Personal Data it holds in relation to a Data Subject an individual (within the timescales required by the AuthorityClient); and
(d) providing the Authority Client with any information requested by the Authority;Client.
22.2.10 The Supplier shall:
(a) 32.2.10. permit the Authority Client or the Authority’s Representative its officers (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's audit ILLY’s data Processing processing activities (and/or those of its agents, subsidiaries and Sub-ContractorsPersonnel) and comply with all reasonable requests or directions by the Authority Client to enable the Authority Client to verify and/or procure that the Supplier ILLY is in full compliance with its obligations under this Framework Agreement;
(b) 32.2.11. provide a written description of the technical and organisational methods employed by the Supplier ILLY for Processing processing Personal Data (within the timescales required by the AuthorityClient); and
(c) 32.2.12. not cause or permit to be Processed and/or otherwise transferred process Personal Data outside the European Economic Area any Personal as referred to in the Data supplied to it by the Authority or any Other Contracting Body Protection Legislation without the prior written consent of the Authority or Contracting Body concerned Client and, where the Authority or Other Contracting Body concerned Client consents to Processing and/or transfer outside the European Economic Areaa transfer, to comply with:
(ia) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 2018 and Article 46 of the GDPR by providing an adequate level of protection to for any Personal Data that is transferred; and
(iib) any reasonable instructions notified to it by the Authority or Contracting Body concernedClient.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Samples: Standard Terms and Conditions
Data Protection. 22.1 With respect 14.1 The SERVICE PROVIDER’s attention is hereby drawn to the Parties' rights Data Protection Requirements. The CLIENT and the SERVICE PROVIDER shall observe their obligations under the Data Protection Requirements.
14.2 Where the SERVICE PROVIDER, pursuant to its obligations under this Framework AgreementContract, undertakes the Parties agree that Processing of Personal Data on behalf of the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier CLIENT, it shall:
22.2.1 Process 14.2.1 carry out the Processing of Personal Data only in accordance with instructions from the Authority CLIENT (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement Contract or as otherwise notified by the Authority CLIENT to the Supplier SERVICE PROVIDER during the Term);
22.2.2 Process 14.2.2 carry out the processing of Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Ordered Services or as is required by Law or any Regulatory Body;
22.2.3 14.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 14.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff SERVICE PROVIDER personnel who have access to the Personal Data;
22.2.5 14.2.5 obtain prior Approval written consent from the Authority CLIENT in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Ordered Services;
22.2.6 14.2.6 ensure that all Supplier Staff any SERVICE PROVIDER personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)14;
22.2.7 14.2.7 ensure that none of Supplier’s Staff the SERVICE PROVIDER personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCLIENT;
22.2.8 14.2.8 notify the Authority CLIENT (within five (5) Working Days Days) if it receives:
(a) 1.1.1.1 a request from a Data Subject to have access to that person's ’s Personal Data; or
(b) 1.1.1.2 a complaint or request relating to the Authority's CLIENT’s obligations under the Data Protection LegislationRequirements;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Samples: Legal Services Agreement
Data Protection. 22.1 With respect to [Include the Parties' rights blue parts of this clause and obligations Schedule 5 if the Supplier will be processing large amounts of personal data under this Framework Agreement].
10.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 10 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Parties agree Data Protection Legislation.
10.2 The parties acknowledge that for the Authority purposes of the Data Protection Legislation, OxLEP is the Data Controller controller and that the Supplier is the Data Processorprocessor. [Schedule 5 sets out the scope, nature and purpose of processing by the Supplier, the duration of the processing and the types of personal data and categories of data subject.]
22.2 The 10.3 Without prejudice to the generality of clause 10.1, the Supplier shall:
22.2.1 Process , in relation to any personal data processed in connection with the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified performance by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the its obligations set out in under this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receivesAgreement:
(a) a request from a Data Subject process that personal data only on the documented written instructions of OxLEP unless the Supplier is required by Applicable Law to have access to otherwise process that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or requestpersonal data;
(b) complying with a ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of personal data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructionsagainst accidental loss or destruction of, or damage to, personal data;
(c) providing ensure that all personnel who have access to and/or process personal data are obliged to keep the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authoritypersonal data confidential; and
(d) providing the Authority with not transfer any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's personal data Processing activities (and/or those outside of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without unless the prior written consent of OxLEP has been obtained and the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply withfollowing conditions are fulfilled:
(i) the Supplier has provided appropriate safeguards in relation to the transfer; and
(ii) the Supplier complies with its obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 Legislation by providing an adequate level of protection to any Personal Data personal data that is transferred; and.
(iie) assist OxLEP, at OxLEP's cost, in responding to any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times request from a data subject and in ensuring compliance with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation;
(f) notify OxLEP without undue delay on becoming aware of a personal data breach;
(g) if and when required by OxLEP, delete or return personal data and copies thereof to OxLEP unless required by Applicable Law to store the personal data;
(h) maintain complete and accurate records and information to demonstrate its compliance with this clause 10 and allow for audits by OxLEP or OxLEP's designated auditor; and
(i) [indemnify OxLEP against any loss or damage suffered by OxLEP in relation to any breach by the Supplier of its obligations under this clause 10].
10.4 OxLEP consents to the Supplier appointing the third party processors listed in Schedule 5. The Supplier confirms that it has entered or (as the case may be) will enter with the third party processor into a written agreement incorporating terms which are substantially similar to those set out in this clause 10 and which reflect the requirements of the Data Protection Legislation. As between OxLEP and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third party processor appointed by it pursuant to this. As between OxLEP and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third party processor appointed by it pursuant to this clause 10.
10.5 If and when required by OxLEP any Personal Data held under or in connection with the Agreement must be securely destroyed and/or permanently deleted.
Appears in 1 contract
Samples: Services Agreement
Data Protection. 22.1 With respect For the purpose of the following Clauses, the terms “controller”, “data subject”, "personal data", “process”, “processor” and “personal data breach” shall have the meanings given to them in the Data Protection Laws, and “processing” and “processed” shall be construed accordingly. Each party hereby undertakes to the Parties' rights other that it shall comply with the obligations of a "controller" under the provisions of the Data Protection Laws and undertakes that it will only process personal data as is necessary to perform its obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only Agreement (without prejudice to Clause 5.2 (General standards)) in accordance with instructions from the Authority applicable Data Protection Laws. In addition, each party (which may be specific instructions or instructions to the extent that it processes personal data as a processor on behalf of the other party (the “Controller Party”) [in accordance with Schedule Part 28]): taking into account the nature of the processing and in accordance with Article 32 of the GDPR, warrants that it has (and all Sub Contractors of any tier and their agents have to the extent that they process personal data as a processor on behalf of a general nature as set out in this Framework Agreement or as otherwise notified by Controller Party) the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data in place against unauthorised or unlawful Processing processing of personal data and against accidental lossloss or destruction of, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take to, personal data held or processed by it; has taken all reasonable steps to ensure the reliability and integrity of any Supplier’s Staff of its staff (including consultants and agents) who will have access to personal data processed as part of this Agreement, and to ensure such persons shall have entered into an appropriate contractual agreement that requires them to keep the Personal Data;
22.2.5 obtain prior Approval from personal data confidential; undertakes that it will act only on the Authority documented instructions of the Controller Party in order relation to transfer the Personal processing of any personal data made available by or on behalf of the Controller Party as part of this Agreement, and immediately inform the Controller Party if, in its opinion, an instruction infringes the Data Protection Laws; shall make available to the Controller Party all information necessary to demonstrate compliance with this Clause 60.3 and undertakes to allow the Controller Party access to any Subrelevant premises on reasonable notice to inspect its procedures described at Clause 60.3.1 above; shall promptly, and in any event within forty-Contractors eight (48) hours of receipt of any request or Affiliates for correspondence, notify the provision Controller Party about any actual or suspected breach of this Clause 60.3 or the Data Protection Laws, or any actual or suspected personal data breach and shall: implement any measures necessary to restore the security of compromised personal data; and support the Controller Party in making any required notifications to any regulatory authority and affected data subjects; shall promptly, and in any event within forty-eight (48) hours of receipt of any request or correspondence, notify the Controller Party if it receives a subject access request or notice from a data subject exercising its rights under the Data Protection Laws in respect of any personal data or any correspondence from a regulatory authority in relation to the processing of any personal data on behalf of the Services;
22.2.6 ensure that all Supplier Staff required to access Controller Party; shall not sub-contract any processing of personal data without the Personal Data are informed of the confidential nature of the Personal Data and Controller Party’s prior written consent; shall comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) imposed upon a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations processor under the Data Protection Legislation;
22.2.9 provide Laws, and use all reasonable endeavours to assist the Authority with full cooperation and assistance Controller Party in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in requirements of the Data Protection Legislation Laws (including the obligations pursuant to Articles 32 to 36 of the GDPR (inclusive)); upon termination of the Agreement and in accordance with on the Authority's instructions;
(c) providing instructions of the Authority with Controller Party, shall return to the Controller Party or destroy all copies of the personal data, except the extent it is required to keep copies by any Personal Data it holds in relation to a Data Subject (within law of the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority UK or the Authority’s Representative (subject to the reasonable European Union; and appropriate confidentiality undertakings), to inspect and audit, the Supplier's shall not transfer any personal data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the Controller Party’s prior written consent of consent. Where a party sub-contracts any processing in accordance with clause 60.3.7, that party shall impose the Authority or Contracting Body concerned and, where same data protection obligations in this Agreement and as required by Data Protection Laws on the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations sub-processor by way of a Data written contract. The party sub-contracting processing in accordance with clause 60.3.7 shall remain fully liable to the Controller under Party for the Eighth Data Protection Principle performance of its obligations. [At the time the Controller Party requires the other party to process personal data on the Controller Party’s behalf, the parties shall identify and agree in writing, in the form set out in Schedule 1 Part 28, in accordance with this Agreement and Article 28 of the Data Protection Act 1998 by providing an adequate level GDPR, the subject matter and duration of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with processing, the Data Protection Legislation nature of the processing, the type of personal data, categories of data subjects and shall not perform its obligations under this Framework Agreement in such a way as to cause and rights of the Authority to breach any of its applicable obligations under the Data Protection Legislation.Controller Party.]2
Appears in 1 contract
Samples: Project Agreement
Data Protection. 22.1 With respect 18.1 The Executive shall at all times during the Appointment adhere to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified any policy introduced by the Authority Company from time to the Supplier during the Term);
22.2.2 Process the Personal Data only time to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out DPA or equivalent legislation in any other relevant jurisdiction. Breach of this Clause 22 undertaking will constitute a disciplinary offence.
18.2 The Executive hereby consents to the Company holding and processing both electronically and manually the personal data it collects which relates to the Executive which is necessary or reasonably required for the proper performance of this agreement, for management, administrative and other employment related purposes (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose both during and after the Appointment) or divulge any for the conduct of the Personal Data Group’s business or to comply with applicable law, rules and regulations (the “Authorised Purposes”) and the Executive agrees to provide the Group with all personal data relating to her which is necessary or reasonably required for the Authorised Purposes.
18.3 The Executive explicitly consents to the Company or any other Group Company processing her personal data, including her sensitive personal data, where this is necessary or reasonably required to achieve one or more of the Authorised Purposes.
18.4 The Executive acknowledges that the Company may, from time to time collect or disclose her personal data (including her sensitive personal data) from and to third party unless directed in writing to do so parties (including without limitation the Executive’s referees, any management consultants or computer maintenance companies engaged by the Authority;
22.2.8 notify Company, the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint Company’s professional advisers, other Group Companies, any suppliers of goods or request relating services to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation Group and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details potential purchasers of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required business carried on by the Authority; and
(d) providing Company and/or the Authority Group). The Executive consents to such collection and disclosure even where this involves the transfer of such data, with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings)safeguards, to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area where this is necessary or reasonably required to achieve one or more of the Authorised Purposes or is in the interests of the Company and/or its shareholders.
18.5 The Company agrees to process any Personal Data supplied personal data made available to it by the Authority or any Other Contracting Body without Executive in accordance with the prior written consent provisions of the Authority or Contracting Body concerned and, where DPA.
18.6 In this clause “data controller” “personal data” “processing” and “sensitive personal data” shall have the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle meaning set out in Schedule section 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedDPA.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Data Protection. 22.1 With respect 20.1 The Parties acknowledge their respective duties under Data Protection Legislation and shall give each other all reasonable assistance as appropriate or necessary to enable each other to comply with those duties. For the Parties' rights and obligations under this Framework Agreementavoidance of doubt, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures Provider shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times familiar with the Data Protection Legislation and any obligations it may have under such Data Protection Legislation and shall comply with such obligations.
20.2 Where the Provider is Processing Personal Data under or in connection with this Contract, the Parties shall comply with the Data Protection Protocol.
20.3 The Provider and the Commissioner shall ensure that Personal Data is safeguarded at all times in accordance with the Law, and this obligation will include (if transferred electronically) only transferring Personal Data (a) if essential, having regard to the purpose for which the transfer is conducted; and (b) that is encrypted in accordance with any international data encryption standards for healthcare, and as otherwise required by those standards applicable to the Authority under any Law and Guidance (this includes, data transferred over wireless or wired networks, held on laptops, CDs, memory sticks and tapes).
20.4 Where, as a requirement of this Contract, the Provider is Processing Personal Data relating to patients and/or service users as part of the Services, the Provider shall:
20.4.1 complete and publish an annual information governance assessment using the NHS information governance toolkit;
20.4.2 achieve a minimum level 2 performance against all requirements in the relevant NHS information governance toolkit;
20.4.3 nominate an information governance lead able to communicate with the Provider’s board of directors or equivalent governance body, who will be responsible for information governance and from whom the Provider’s board of directors or equivalent governance body will receive regular reports on information governance matters including, but not perform limited to, details of all incidents of data loss and breach of confidence;
20.4.4 report all incidents of data loss and breach of confidence in accordance with Department of Health and/or the NHS England and/or Health and Social Care Information Centre guidelines;
20.4.5 put in place and maintain policies that describe individual personal responsibilities for handling Personal Data and apply those policies vigorously;
20.4.6 put in place and maintain a policy that supports its obligations under the NHS Care Records Guarantee (being the rules which govern information held in the NHS Care Records Service, which is the electronic patient/service user record management service providing authorised healthcare professionals access to a patient’s integrated electronic care record);
20.4.7 put in place and maintain agreed protocols for the lawful sharing of Personal Data with other NHS organisations and (as appropriate) with non-NHS organisations in circumstances in which sharing of that data is required under this Framework Agreement Contract;
20.4.8 where appropriate, have a system in such place and a way policy for the recording of any telephone calls in relation to the Services, including the retention and disposal of those recordings;
20.4.9 at all times comply with any information governance requirements and/or processes as may be set out in the Specification and Tender Response Document; and
20.4.10 comply with any new and/or updated requirements, Guidance and/or Policies notified to cause the Provider by the Authority from time to breach time (acting reasonably) relating to the Processing and/or protection of Personal Data.
20.5 Where any Personal Data is Processed by any Sub-contractor of its applicable the Provider in connection with this Contract, the Provider shall procure that such Sub- contractor shall comply with the relevant obligations under set out in Clause 2 of this Error! Reference source not found., as if such Sub-contractor were the Provider.
20.6 The Provider shall indemnify and keep the Authority indemnified against, any loss, damages, costs, expenses (including without limitation legal costs and expenses), claims or proceedings whatsoever or howsoever arising from the Supplier’s unlawful or unauthorised Processing, destruction and/or damage to Personal Data Protection Legislationin connection with this Contract.
Appears in 1 contract
Samples: Service Agreement
Data Protection. 22.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data ProcessorProcessor in relation to Authority Personal Data.
22.2 The Supplier shall:
22.2.1 Process the Authority Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Authority Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Available Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Authority Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Authority Personal Data and having regard to the nature of the Authority Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Supplier Staff who have access to the Authority Personal Data;
22.2.5 obtain prior Approval written consent from the Authority in order to transfer the Authority Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors or Affiliates Contractor) for the provision of the Available Services;
22.2.6 ensure that all Supplier Staff required to access the Authority Personal Data are informed of the confidential nature of the Authority Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)22;
22.2.7 ensure that none of Supplier’s Supplier Staff publish, disclose or divulge any of the Authority Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to Authority Personal Data relating to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request mademade relating to Authority Personal Data, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Authority Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority); and
(d) providing the Authority with any information requested by the Authority;
22.2.10 22.3 The Supplier shall:
(a) 22.3.1 permit the Authority or the Authority’s Authority Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, audit the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Samples: Framework Agreement
Data Protection. 22.1 With respect 15.1 The SERVICE PROVIDER’s attention is hereby drawn to the Parties' rights Data Protection Requirements. The CUSTOMER and the SERVICE PROVIDER shall observe their obligations under the Data Protection Requirements.
15.2 Where the SERVICE PROVIDER, pursuant to its obligations under this Framework AgreementContract, undertakes the Parties agree that Processing of Personal Data on behalf of the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier CUSTOMER, it shall:
22.2.1 Process 15.2.1 carry out the Processing of Personal Data only in accordance with instructions from the Authority CUSTOMER (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement Contract or as otherwise notified by the Authority CUSTOMER to the Supplier SERVICE PROVIDER during the Term);
22.2.2 Process 15.2.2 carry out the processing of Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Ordered Services or as is required by Law or any Regulatory Body;
22.2.3 15.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 15.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff SERVICE PROVIDER personnel who have access to the Personal Data;
22.2.5 15.2.5 obtain prior Approval written consent from the Authority CUSTOMER in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Ordered Services;
22.2.6 15.2.6 ensure that all Supplier Staff any SERVICE PROVIDER personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)15;
22.2.7 15.2.7 ensure that none of Supplier’s Staff the SERVICE PROVIDER personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCUSTOMER;
22.2.8 15.2.8 notify the Authority CUSTOMER (within five (5) Working Days Days) if it receives:
(a) 15.2.8.1 a request from a Data Subject to have access to that person's ’s Personal Data; or
(b) 15.2.8.2 a complaint or request relating to the Authority's CUSTOMER’s obligations under the Data Protection LegislationRequirements;
22.2.9 15.2.9 provide the Authority CUSTOMER with full cooperation and assistance in relation to any complaint or request made, including by:
(a) 15.2.9.1 providing the Authority CUSTOMER with full details of the complaint or request;
(b) 15.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation Requirements and in accordance with the Authority's CUSTOMER’s instructions;
(c) 15.2.9.3 providing the Authority CUSTOMER with any Personal Data it holds in relation to a Data Subject (within the timescales required by the AuthorityCUSTOMER); and
(d) 15.2.9.4 providing the Authority CUSTOMER with any information requested by the AuthorityCUSTOMER;
22.2.10 The Supplier shall:
(a) 15.2.10 permit the Authority CUSTOMER or the Authority’s Representative its representatives (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, audit the Supplier's SERVICE PROVIDER’s data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority CUSTOMER to enable the Authority CUSTOMER to verify and/or procure that the Supplier SERVICE PROVIDER is in full compliance with its obligations under this Framework AgreementContract. In this respect, the SERVICE PROVIDER shall be responsible for maintaining the confidentiality of information relating to its other clients;
(b) 15.2.11 provide a written description of the technical and organisational methods employed by the Supplier SERVICE PROVIDER for Processing Personal Data (within the timescales required by the AuthorityCUSTOMER); and
(c) 15.2.12 not cause or permit to be Processed and/or otherwise transferred undertake the Processing of Personal Data outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned CUSTOMER and, where the Authority or Other Contracting Body concerned CUSTOMER consents to Processing and/or transfer outside the European Economic Areaa transfer, to comply with:
(i) 15.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) 15.2.12.2 any reasonable instructions notified to it by the Authority or Contracting Body concernedCUSTOMER.
22.2.11 15.3 The Supplier SERVICE PROVIDER shall comply at all times with the Data Protection Legislation Requirements and shall not perform its obligations under this Framework Agreement Contract in such a way as to cause the Authority CUSTOMER to breach any of its applicable obligations under the Data Protection LegislationRequirements.
15.4 The CUSTOMER may from time to time serve on the SERVICE PROVIDER an information notice requiring the SERVICE PROVIDER within such time and in such form as is specified in the information notice, to furnish to the CUSTOMER such information as the CUSTOMER may reasonably require relating to:
15.4.1 compliance by the SERVICE PROVIDER with the SERVICE PROVIDER’s obligations under this Contract in connection with the Processing of Personal Data; and/or
15.4.2 the rights of Data Subjects, including but not limited to subject access rights.
15.5 The SERVICE PROVIDER will allow its data Processing facilities, procedures and documentation to be submitted for scrutiny by the CUSTOMER or its auditors in order to ascertain compliance with the relevant laws of the United Kingdom and the terms of this Contract. In this respect, the SERVICE PROVIDER shall be responsible for maintaining the confidentiality of information relating to its other clients.
15.6 With respect to the parties’ rights and obligations under this Contract, the parties acknowledge that, except where otherwise agreed, the CUSTOMER is the Data Controller and the SERVICE PROVIDER is the Data Processor. Where the SERVICE PROVIDER wishes to appoint, in accordance with the provisions of Clause 29, a Sub-Contractor to assist it in providing the Ordered Services and such assistance includes the Processing of Personal Data on behalf of the CUSTOMER, then, subject always to compliance by the SERVICE PROVIDER with the provisions of Clause 29 relating to the appointment of Sub-Contractors, the CUSTOMER hereby grants to the SERVICE PROVIDER a delegated authority to appoint on the CUSTOMER’S behalf such Sub-Contractor to undertake the Processing of Personal Data provided that the SERVICE PROVIDER shall notify the CUSTOMER in writing of such appointment and the identity and location of such Sub-Contractor. The SERVICE PROVIDER warrants that such appointment shall be on substantially the same terms with respect to Data Protection Requirements as are set out in this Contract, including the terms set out in Clause 15.2. Any Sub-Contractor appointed under the provisions of this Clause 15.6 shall, for the purposes of Schedule 2-8, be regarded as a principal Sub-Contractor and shall be specified in Table 1 of Schedule 2-8.
15.7 Save as set out in this Clause 15, any unauthorised Processing, use or disclosure of personal data by the SERVICE PROVIDER is strictly prohibited.
15.8 The SERVICE PROVIDER shall be liable for and shall indemnify (and keep indemnified) the CUSTOMER against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and disbursements on a solicitor and client basis) and demands incurred by the CUSTOMER which arise directly or in connection with the SERVICE PROVIDER’s data Processing activities under this Contract, including without limitation those arising out of any third party demand, claim or action, or any breach of contract, negligence, fraud, wilful misconduct, breach of statutory duty or non-compliance with any part of the Data Protection Requirements by the SERVICE PROVIDER or its employees, servants, agents or Sub-Contractors.
Appears in 1 contract
Samples: Consultancy Services Agreement
Data Protection. 22.1 16.1 With respect to the Parties' parties’ rights and obligations under this Framework the Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extentparties acknowledge that, and in such manner, as it necessary for the provision purposes of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide , the Authority with full cooperation Company is the processor and assistance the Customer is the controller in relation respect of any personal data processed by the Company pursuant to any complaint or request madethe Agreement. The Order Document sets out the scope, including by:
(a) providing nature, and purpose of processing by the Authority with full details Company, the duration of the complaint or request;processing and the types of personal data and categories of data subject.
(b) complying 16.2 Each party shall comply with a data access request within the relevant timescales set out in all applicable requirements of the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those respect of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier personal data. This clause 16 is in full compliance with its obligations under this Framework Agreement;
(b) provide addition to, and does not relieve, remove, or replace, a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable party’s obligations under the Data Protection Legislation.
16.3 Without limiting the generality of the foregoing, the Company shall:
(a) Process the personal data only on behalf of the Customer, only for the purposes of performing the Agreement and only in accordance with the Customer’s documented data controller instructions from time to time, unless required to do so by the law, in which case it will inform the Customer of that legal requirement before processing, subject to any legal requirement prohibiting such notification. The Customer’s documented instructions include any tasks attributed to the Company in a Service Level Agreement;
(b) Only transfer personal data to a third country or international organisation, on the instruction of the data controller (Customer) or with the data controller’s authorisation;
(c) Ensure that only personnel that are authorised by the Company to have access to personal data, have been properly trained and appropriately vetted and have committed themselves to confidentiality in respect of the personal data and are made aware of the Company’s obligations hereunder;
(d) Taking into account the nature of the processing implement and take such measures in relation to the security, confidentiality, availability, and integrity of the personal data as are required of it by the Data Protection Legislation and this Agreement;
(e) Observe and comply with the requirements of the Data Protection Legislation with regard to the engagement of, and responsibility for, sub-processors;
(f) Taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests by data subjects to exercise their rights under the Data Protection Legislation (including the right to transparency and information, the data subject access right, the right to rectification and erasure, the right to the restriction of processing, the right to data portability and the right to object to processing). Where notification of the exercise of such rights is given to the Company, the Company shall notify the Customer without undue delay, but in any case, within 5 days of the request;
(g) Taking into account the nature of the processing and the information available to the Company, assist the Customer in carrying out its obligations under the Data Protection Legislation with respect to security, breach notifications, data protection impact assessments and consultations with supervisory authorities or regulators. Any such assistance required from the Company (by the Customer) in relation to a breach of Data Protection Legislation by the Customer, shall be chargeable by the Company at the then prevailing rates;
(h) Make available to the Customer information that demonstrates its compliance with appropriate Data Protection Legislation and this clause 16, in relation to its obligations as a processor;
(i) Notify the Customer without undue delay but in any event within 48 hours, after becoming aware of a Data Incident.
16.4 If the Company notifies the Customer that, in its opinion, an instruction infringes any applicable Data Protection Legislation, or is of the opinion that an instruction to process personal data is for purposes other than the performance of the relevant Agreement, it will consult with the Customer as soon as reasonably possible. If the Company, after consultation is of the same opinion, it will not be obliged to follow that instruction.
16.5 The Company acknowledges that the personal data belongs to the Customer.
16.6 The engagement of any sub-processor named in the Order Document or other Contract Document for the purposes stated therein is authorised by the Customer and such shall be a general written authorisation for the purposes of the Data Protection Legislation in relation to the purpose for which the sub-processor is engaged.
16.7 Where a sub-processor ceases to trade, becomes insolvent or is in breach of the Data Protection Legislation, the Company may change that sub-processor without reference to the Customer provided that:
(a) it notifies the Customer as soon as practicable and in any event prior to the processing being undertaken;
(b) the replacement sub-processor is reputable and of such size and standing as to be able to fulfil its obligations to the Company without difficulty; and
(c) where requested by the Customer the Company shall provide a summary of the findings of due diligence undertaken in respect of the replacement sub-processor.
16.8 If the Customer objects to the change pursuant to clause 16.7 it may terminate the relevant Agreement (or where practicable, that part of it dealing with the relevant services) on the provision of 6 months’ notice and (unless it can show that the objection was objectively reasonable in the circumstances) subject to the payment, prior to the expiry of that notice, of all outstanding charges for the balance of the Agreement Term.
16.9 Provided that the Company only undertakes the following activities on an aggregated basis using anonymised data which cannot be linked back to the Customer or any individual, nothing in this clause 16 shall restrict or prevent the Company from recording, retaining and using for monitoring, Product improvement, user-experience improvement, statistical analysis or marketing purposes:
(a) any information derived from the Customer or its Representatives access to and use of any Software or Services; or
(b) any information or data stored or processed using the Software or Services.
16.10 Subject to clause 3.1 (c) the Company shall permit the Customer (or a third party authorised by it), to carry out data protection audits and inspections of the Company.
16.11 Without limiting the generality of the foregoing, the Customer shall:
(a) ensure that it, and its Associated Companies, comply with the Data Protection Legislation and all applicable codes of practice in respect of the personal data from time to time, including in its role as a controller and in supplying or making available to the Company any personal data for Processing by the Company in performance of its obligations under the Agreement; and
(b) not instruct the Company to process personal data for purposes other than the performance of the Agreement.
16.12 The Customer warrants to the Company that:
(a) it has all necessary appropriate legal basis and notices in place to enable the lawful transfer of personal data to the Company for the duration and purposes of the Agreement.
(b) all personal data provided to the Company pursuant to the Agreement will be, to the best of its knowledge, accurate and complete in all material respects, and that the Customer is entitled to provide the same to the Company without recourse to any third party; and
(c) the personal data does not and shall not, so far as it is aware, infringe the rights of any third party.
16.13 The Customer acknowledges that the Company is reliant on the Customer for direction as to the extent that the Company is entitled to use and process personal data and that such direction will be set out in the Order Document.
16.14 If either party breaches its obligations under this clause 16 or the Data Protection Legislation it shall indemnify the other from and against any resulting Losses.
16.15 Where it is determined that both the Company and the Customer are involved in the same processing of the data and are jointly and severally liable under Article 82 paragraphs 2 and 3 for damage caused by the processing; no settlement in relation to that damage shall be made without first consulting the other party.
16.16 Upon expiry of the Agreement Term (or early termination however so arising) of the Agreement the Customer shall, within 5 working days of receipt of a request from the Company, provide written instruction to the Company in respect of the return and/or deletion of the data that has been processed under the Agreement. Upon receipt of such instruction the Company shall promptly comply and either:
(a) provide a copy of the Customer’s data as an Oracle export (unless otherwise agreed as part of the exit process and charges) and then securely delete the Customer instance and the data within it; or
(b) securely delete the Customer instance and the data within it.
16.17 The Company shall upon completion of the deletion of the data provide a certificate of destruction to the Customer.
16.18 Where a Customer fails to return the instruction or collect the data extract after a period of 30 days the Company shall delete the Customer's instance and the data within. The Customer warrants that it shall not hold the Company liable for any breach of the Data Protection Legislation or any losses incurred through its failure to provide the instruction at clause 16.16.
Appears in 1 contract
Samples: Master Services Agreement
Data Protection. 22.1 With 14.1 Both parties agree to comply with all applicable requirements of the Data Protection Act 2018 as amended or updated from time to time ( “DP Legislation”).
14.2 The parties acknowledge that for the purposes of the DP Legislation, it may be necessary for the Client to process certain personal data (as defined in the DP Legislation) on behalf of the Supplier, and the Client may act as a “controller” or a “processor” (as defined in the GDPR) in respect of such personal data. In these circumstances each party undertakes to fully comply with the Parties' rights applicable obligations imposed on it acting in such capacity under the DP Legislation.
14.3 Each party shall ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of personal data for the duration and purposes of this agreement.
14.4 In relation to any personal data processed in connection with its obligations under this Framework Agreement, Agreement the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier Client shall:
22.2.1 Process 14.4.1 process the Personal Data personal data only in accordance with instructions from on the Authority (which may be specific instructions or written instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during unless the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as Client is required by Law or any Regulatory Bodyapplicable law to process such data and notifies the Supplier to this effect;
22.2.3 implement 14.4.2 ensure that it has in place appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and processing, or against accidental lossloss or destruction of, destructionor damage to the personal data, damage, alteration or disclosure. These measures shall be appropriate to the harm which that might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data such occurrence and having regard to the nature of the Personal Data which is data to be protected;
22.2.4 take 14.4.3 ensure that all reasonable steps to ensure the reliability of any Supplier’s Staff personnel who have access to the Personal Dataand/or process personal data are obliged to keep it confidential;
22.2.5 obtain prior Approval from the Authority in order to 14.4.4 not transfer the Personal Data to any Sub-Contractors or Affiliates for the provision personal data outside of the ServicesEuropean Economic Area;
22.2.6 ensure that all 14.4.5 promptly assist the Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply in ensuring compliance with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's its obligations under the Data Protection LegislationLegislation with respect to security, impact assessments and consultations with supervisory authorities or regulators and including with any requests from data subjects;
22.2.9 provide 14.4.6 notify the Authority with full cooperation and assistance in relation Supplier without delay on becoming aware of a personal data breach relating to any complaint or this Agreement; Carbon60 Limited Date Version Page Services Agreement / SOW - UK December 2019 2.0 5 14.4.7 at the request made, including by:
(a) providing the Authority with full details of the complaint Supplier, delete or request;
(b) complying with a return all personal data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales on termination of this Agreement unless required by law to store the Authoritypersonal data; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Data Protection. 22.1 With respect 24.1 The Service Provider shall (and shall procure that any of its Representatives involved in the provision of this Contract) comply with any notification requests under the Data Protection Requirements and both Parties will duly observe all their obligations under the Data Protection Requirements, which arise in connection with the performance of this Contract.
24.2 Notwithstanding the general obligation in clause 24.1, where the Service Provider is processing Personal Data as a Data Processor for the Council, the Service Provider shall ensure that it has in place appropriate technical and contractual measures to ensure the security of the personal data (and to guard against unauthorised or unlawful processing of the personal data and against accidental loss or destruction of, or damage to, the personal data), as required under the Seventh Data Protection Principle in Schedule 1 to the Parties' rights and Data Protection Act 1998; and
24.2.1 provide the Council with such information as the Council may reasonably require to satisfy itself that the Service Provider is complying with its obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that Protection Requirements;
24.2.2 promptly notify the Supplier is Council of any breach of the Data Processor.security measures required to be put in place pursuant to this clause 24.2;
22.2 The Supplier shall:
22.2.1 Process 24.2.3 process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data Council and only to the extent, and in such manner, as it is necessary for the provision of the Services or as is required by Law or any Other Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 24.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 and ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)clause 24;
22.2.7 24.2.5 ensure that none of Supplier’s the Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCouncil;
22.2.8 24.2.6 notify the Authority Council within five (5) Working Days Days), if it receives:
(a) 24.2.6.1 a request from a Data Subject to have access to that person's Personal Data; or
(b) 24.2.6.2 a complaint or request relating to the AuthorityCouncil's obligations under the Data Protection LegislationRequirements;
22.2.9 24.2.7 provide the Authority Council with full cooperation co-operation and assistance in relation to any complaint or request made, including by:
(a) 24.2.7.1 providing the Authority Council with full details of the complaint or request;
(b) 24.2.7.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation Requirements and in accordance with the AuthorityCouncil's instructions;
(c) 24.2.7.3 providing the Authority Council with any Personal Data it holds in relation to a Data Subject (within the timescales required by the AuthorityCouncil); and
(d) 24.2.7.4 providing the Authority Council with any information requested by the AuthorityCouncil;
22.2.10 The Supplier shall:
(a) permit 24.2.8 ensure it does not knowingly or negligently do or omit to do anything which places the Authority or Council in breach of the AuthorityCouncil’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedRequirements.
22.2.11 24.3 The Supplier Service Provider shall comply at all times with the Data Protection Legislation Requirements and shall not perform its obligations under this Framework Agreement Contract in such a way as to cause the Authority Council to breach any of its applicable obligations under the Data Protection LegislationRequirements.
24.4 The Service Provider shall be liable for and shall indemnify the Council and keep the Council indemnified against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and disbursements on a solicitor and client basis) and demands incurred by the Council which arise directly from a breach by the Service Provider of its obligations under the Data Protection Requirements, including without limitation those arising out of any third party demand, claim or action, or any breach of contract, negligence, fraud, wilful misconduct, breach of statutory duty or non-compliance with any part of the Data Protection Requirements by the Service Provider or its employees, servants, agents or Sub-Contractors.
24.5 The provisions of this clause 24 shall apply during the continuance of this Contract and indefinitely after its expiry or termination.
Appears in 1 contract
Samples: Public Health Services Contract
Data Protection. 22.1 55.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority Department is the Data Controller and that the Supplier Contractor is the Data Processor.
22.2 55.2 The Supplier Contractor shall:
22.2.1 55.2.1 Process the Personal Data only in accordance with instructions from the Authority Department (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority Department to the Supplier Contractor during the Term);
22.2.2 55.2.2 Process the Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 55.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 55.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff Contractor Personnel who have access to the Personal Data;
22.2.5 55.2.5 obtain prior Approval written consent from the Authority Department in order to transfer the Personal Data to any Sub-Contractors contractors or Affiliates of the Contractor for the provision of the Services;
22.2.6 55.2.6 ensure that all Supplier Staff Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)55;
22.2.7 55.2.7 ensure that none of Supplier’s Staff Contractor Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityDepartment;
22.2.8 55.2.8 notify the Authority Department (within five (5) Working Days Days) if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the AuthorityDepartment's obligations under the Data Protection Legislation;
22.2.9 55.2.9 provide the Authority Department with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority Department with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the AuthorityDepartment's instructions;
(c) providing the Authority Department with any Personal Data it holds in relation to a Data Subject (within the timescales required by the AuthorityDepartment); and
(d) providing the Authority Department with any information requested by the AuthorityDepartment;
22.2.10 The Supplier shall:
(a) 55.2.10 permit the Authority Department or the Authority’s Department Representative (subject to any Department Representative entering into confidentiality undertakings on the reasonable and appropriate confidentiality undertakingsterms set out in Schedule 2.7 (Form of Confidentiality Agreement)), to inspect and audit, in accordance with Clause 53 (Audit Provision and Audit Access), the SupplierContractor's data Processing activities (and/or those of its agents, subsidiaries and Sub-ContractorsSub- contractors) and comply with all reasonable requests or directions by the Authority Department to enable the Authority Department to verify and/or procure that the Supplier Contractor is in full compliance with its obligations under this Framework Agreement;; and
(b) 55.2.11 provide a written description of the technical and organisational methods employed by the Supplier Contractor for Processing processing Personal Data (within the timescales required by the AuthorityDepartment); and.
(c) not cause or permit to be Processed and/or otherwise transferred outside 55.3 If the European Economic Area any Processing of Personal Data supplied requires the transfer of Personal Data from the territory from which the Contractor is providing the Services to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer a third party outside the European Economic Area, the Contractor shall obtain the Department's consent prior to comply withany such transfer and where such consent is obtained, it shall be subject to:
55.3.1 the Contractor engaging the third party on terms that are substantially the same as, and no less stringent, than the terms contained in this Clause 55; and
55.3.2 procuring that such third party enters into the EU Commission controller to processor standard clauses (i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 Commission Decision 2002/16/EC dated 27 December 2001) with the Department in respect of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it be Processed by the Authority or Contracting Body concerneda third party. .
22.2.11 55.5 The Supplier Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority Department to breach any of its applicable obligations under the Data Protection LegislationLegislation and/or the Computer Misuse Xxx 0000.
Appears in 1 contract
Samples: Agreement for the Provision of Administration Services
Data Protection. 22.1 With respect 14.1 The Company and the Supplier agree that, to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and extent that the Supplier is required to process any personal data as part of the Services, it shall do so on behalf of the Company as a data processor.
14.2 The Supplier warrants that it will process such personal data in accordance with the Data Processor.
22.2 The Protection Act 1998, the Privacy and Electronic Communications Regulation 2003 and any other relevant data protection legislation and, in particular, the Supplier shall:
22.2.1 Process 14.2.1 only carry out processing of such personal data for the Personal Data only purpose of performing the Services in accordance with instructions from this Agreement and in accordance with the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term)Company’s written instructions;
22.2.2 Process the Personal Data only to the extent, 14.2.2 implement and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement maintain appropriate technical and organisational security measures to protect the Personal Data such personal data against unauthorised or unlawful Processing processing and against accidental loss, damage, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 14.2.3 allow the Company to audit the Suppliers compliance with the requirements of this Condition 14 on reasonable notice and/or provide the Company with evidence of compliance with all the obligations set out in this Condition 14;
14.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff the personnel who have access to the Personal Datapersonal data;
22.2.5 obtain prior Approval 14.2.5 promptly provide such information to the Company as the Company may reasonably require to allow it to comply with the rights of data subjects, including subject access rights;
14.2.6 appoint, and identify to the Company, an individual within its organisation authorised to respond to enquiries from the Authority Company concerning the Supplier’s processing of personal data.
14.3 For the purposes of this Condition 14, “data processor”, “data subject”, “personal data” and “process” shall have the meanings ascribed to them in order to transfer the Personal Data to Protection Act 1998.
14.4 The Supplier warrants that any Subservants, agents or sub-Contractors or Affiliates for contractors used in the provision of the Services;
22.2.6 ensure Services shall be obliged to abide by this Condition 14 and that all Supplier Staff required to access it will remain the Personal Data are informed responsibility of the confidential nature Supplier to ensure compliance with this Condition and the Data Protection Act 1998.
14.5 The Supplier shall, within 48 hours, notify the Company of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none any breach or suspected breach of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint obligations concerning personal or request relating sensitive data or confidential information to the Authority's obligations under extent that the Data Protection Legislation;
22.2.9 Supplier becomes aware of such breach and shall provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests assistance that may be required in order to resolve or directions by act upon such breach.
14.6 To the Authority to enable the Authority to verify and/or procure extent that the Supplier is in full providing any Services which involves the processing, transmission or storing of any credit or debit card payments and/or cardholder information on behalf of the Company, it is agreed that:
14.6.1 the Supplier shall be fully responsible for the security of cardholder data that it possesses, including all functions relating to storing, processing and transmitting of the cardholder data;
14.6.2 the Supplier affirms that it has complied with all applicable requirements to be considered PCIDSS compliant and has performed the necessary steps to validate its compliance with its obligations under this Framework Agreementthe PCI DSS;
(b) provide a written description 14.6.3 the Supplier agrees to supply the current status of the technical Supplier’s PCI DSS compliance status and organisational methods employed by evidence of its most recent validation of compliance upon execution of these terms and conditions to the Company. The Supplier for Processing Personal Data (within must supply to the timescales required by the Authority)Company a new status report and evidence of validation of compliance at least annually; and
(c) not cause or permit 14.6.4 the Supplier will immediately notify the Company if it learns that it is no longer PCI DSS compliant and will immediately provide the Company with details f the steps being taken to remediate the non-compliance status. In no event should the Supplier’s notification to the Company be Processed and/or otherwise transferred outside later than five working days after the European Economic Area any Personal Data supplied to Supplier learns it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedno longer PCI DSS compliant.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Samples: Terms & Conditions of Purchase of Goods or Services
Data Protection. 22.1 With respect to 19.1 In the Parties' rights and obligations under event that a provision of this Framework clause conflicts with any other provision of this Agreement, the Parties provision in this clause 19 shall prevail to the extent of such conflict.
19.2 The parties confirm that where Services comprise of the Consultancy’s processing of Client Personal Data, the Consultancy shall be the Data Processor and the Client shall be the Data Controller with respect to such processing.
19.3 The parties hereby acknowledge and agree that the Authority is provisions of Article 28(3)(a)-(h) of the Data Controller and that the Supplier is the Data ProcessorGDPR are incorporated into this Agreement, with any necessary changes to give full effect to such provisions.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures 19.4 Each party shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out imposed on it by applicable Data Privacy Laws with regard to Client Personal Data processed by each party in connection with Services.
19.5 Where the Consultancy is obliged to provide assistance to the Client in connection with compliance with this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publishclause 19, disclose or divulge any to third parties at the request of the Personal Data Client (including submission to any third party unless directed an audit or inspection and/or the provision of information), such assistance shall be provided at the sole cost and expense of the Client, save where such assistance directly arises from the Consultancy’s breach of its obligations under this Agreement, in writing to do so which event the costs of such assistance shall be borne by the Authority;Consultancy.
22.2.8 notify 19.6 Notwithstanding any other provision of this Agreement, the Authority within five (5) Working Days if it receivesConsultancy shall be entitled to sub-contract any part of the Services requiring the processing of Client Personal Data, subject to the following conditions:
(a) a request from a Data Subject The Consultancy shall notify the Client in writing of its intention to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full engage such sub-contractor. Such notice shall give details of the complaint or requestidentity of such subcontractor and the services to be supplied by it;
(b) complying The Client shall be deemed to have approved the engagement of the sub-contractor if it has not served a notice in writing on the Consultancy objecting (acting reasonably) to such appointment within 7 days of the date that the notice is deemed to be received by the Client in accordance with a data access request within the relevant timescales set out in the Data Protection Legislation and clause 19.
19.7 Where, in accordance with the Authority's instructions;
provisions Article 82 of the GDPR, both parties are responsible for the act, or omission to act, resulting in the payment of losses, costs, damages, expenses, penalties or liability (c“Losses”) providing the Authority with any Personal Data it holds in relation to by a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority party, or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings)both parties, to inspect and audit, the Supplier's data Processing activities (and/or those then a party shall only be liable for that part of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier such Losses which is in full compliance with proportion to its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedrespective responsibility.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Data Protection. 22.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 20.1 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps Provider must make proper arrangements to ensure the reliability of any Supplierthat it’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data Employees and Prospective Employees understand and comply with the obligations requirements of the Data Protection Xxx 0000 and all successor acts and subordinate legislation.
20.2 The Council shall collect and maintain information which shall be processed and used in accordance with the registration made by the Council under the terms of the Data Protection Xxx 0000.
20.3 The Provider shall collect and maintain information that shall be processed and used in accordance with the Data Protection Xxx 0000. The Provider shall comply with the provisions of the Data Protection Xxx 0000 and in accordance with principles set out in this Clause 22 (Data Protection);“The Caldicott Committee Report on the review of patient-identifiable information - December 1997”.
22.2.7 20.4 The Provider shall ensure that none of Supplier’s Staff publish, disclose personally identifiable information is shared only where absolutely necessary and where required by Law. Such information will only be shared with those individuals or divulge any agencies who are legally entitled to access to it and only in such cases where the sharing of the Personal Data information can be reasonably justified.
20.5 Where any personally identifiable information is disclosed in accordance with these provisions the Provider shall ensure that the level of information shared is the minimum necessary for the particular purpose.
20.6 All disclosures of personally identifiable information must be undertaken with the consent of the Service User or their representative or be otherwise in accordance with Law.
20.7 The Council will ensure that Service Users or their representative are aware of the individuals or agencies to which their personal information may be disclosed unless there are legitimate reasons for not doing this.
20.8 Before any third party unless directed information is shared the Provider must satisfy itself that the individual or agency to whom the information is to be shared has in writing place appropriate systems to do so by safeguard confidentiality. The Council hereby warrant that they have in place appropriate systems to safeguard the Authority;confidentiality of information as requested or requestable under this Agreement.
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating 20.9 The parties agree to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation terms and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales conditions set out in the Data Protection Legislation and in accordance with Information Sharing Protocol appended as the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation Schedule 3 to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Samples: Agreement for the Provision of Specialist Domiciliary Care
Data Protection. 22.1 With respect ‘Data Protection Requirements’ means the Data Protection Act 1998, the EU Data Protection Directive 95/46EC, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI2000/2699), the Privacy & Electronic Communications (EC Directive) Regulations 2003, all applicable laws and regulations relating to the Parties' rights processing of personal data and privacy including as applicable the guidance and codes of practice issued by the Information Commissioner.
18.1 The Service Provider’s attention is hereby drawn to the Data Protection Requirements. The Client and the Service Provider shall observe their obligations under the Data Protection Requirements.
18.2 Where the Service Provider pursuant to its obligations under this Framework AgreementPartnering Contract, the Parties agree that the Authority is processes Personal Data (as defined under the Data Controller and that Protection Act 1998) on behalf of the Supplier is the Data Processor.
22.2 The Supplier Client, it shall:
22.2.1 18.1 Process the Personal Data only in accordance with instructions from the Authority Client (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement Partnering Contract or as otherwise notified by the Authority Client to the Supplier Service Provider during the Term);
22.2.2 18.2 Process the Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Services or as is required by Law or any Regulatory Bodyregulatory body;
22.2.3 implement 18.3 Implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processingprocessing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all 18.4 Take reasonable steps to ensure the reliability of any SupplierService Provider’s Staff personnel who have access to the Personal Data;
22.2.5 obtain 18.5 Obtain prior Approval written consent from the Authority Client in order to transfer the Personal Data to any Subsub-Contractors or Affiliates contractors for the provision of the Services;
22.2.6 ensure 18.6 Ensure that all Supplier Staff any Service Provider’s personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)Clause;
22.2.7 ensure 18.7 Ensure that none of Supplierthe Service Provider’s Staff personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityClient;
22.2.8 notify 18.8 Notify the Authority Client (within five (5) Working Days working Days) if it receives:
(a1) a request from a Data Subject (as defined under the Data Protection Act 1998) to have access to that person's ’s Personal Data; or
(b2) a complaint or request relating to the Authority's Client’s obligations under the Data Protection LegislationRequirements;
22.2.9 provide 18.9 Provide the Authority Client with full cooperation and assistance in relation to any complaint or request made, including by:
(a1) providing the Authority Client with full details of the complaint or request;
(b2) complying with a data access request within the relevant timescales set out in the Data Protection Legislation Requirements and in accordance with the Authority's instructionsinstructions from the Client;
(c3) providing the Authority Client with any Personal Data it holds in relation to a Data Subject (within the timescales required by the AuthorityClient); and
(d4) providing the Authority Client with any information requested by the AuthorityClient;
22.2.10 The Supplier shall:
(a) permit 18.10 Permit the Authority Client or the Authority’s Representative its representatives (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, audit the Supplier's Service Provider’s data Processing processing activities (and/or those of its agents, subsidiaries and Subdirect sub-Contractorscontractors) and comply with all reasonable requests or directions by the Authority Client to enable the Authority Client to verify and/or procure that the Supplier Service Provider is in full compliance with its obligations under this Framework AgreementPartnering Contract;
(b) provide 18.11 Provide a written description of the technical and organisational methods employed by the Supplier Service Provider for Processing processing Personal Data (within the timescales required by the AuthorityClient); and
(c) not cause or permit to be Processed and/or otherwise transferred 18.12 Not process Personal Data outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned Client and, where the Authority or Other Contracting Body concerned Client consents to Processing and/or transfer outside the European Economic Areaa transfer, to comply with:
(i1) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii2) any reasonable instructions notified to it by the Authority or Contracting Body concernedClient.
22.2.11 18.3 The Supplier Service Provider shall comply at all times with the Data Protection Legislation Requirements and shall not perform its obligations under this Framework Agreement Partnering Contract in such a way as to cause the Authority Client to breach any of its applicable obligations under the Data Protection LegislationRequirements.
18.4 The Client may from time to time serve on the Service Provider an information notice requiring the Service Provider within such time and in such form as is specified in the information notice, to furnish to the Client such information as the Client may reasonably require relating to:
18.4.1 compliance by the Service Provider with the Service Provider’s obligations under this Partnering Contract in connection with the processing of Personal Data; and/or
18.4.2 the rights of data subjects, including but not limited to subject access rights.
18.5 The Service Provider will allow its data processing facilities, procedures and documentation to be submitted for scrutiny by the Client or its auditors in order to ascertain compliance with the relevant laws of the United Kingdom and the terms of this Partnering Contract.
18.6 With respect to the parties’ rights and obligations under this Partnering Contract, the parties acknowledge that the Client is the Data Controller and the Service Provider is the Data Processor (as each term is defined in the Data Protection Requirements). Where the Service Provider wishes to appoint a Specialist to assist it in providing the Term Programme and such assistance includes the processing of Personal Data on behalf of the Client, relating to the appointment of the Specialist, the Client hereby grants to the Service Provider delegated authority to appoint on the Client’s behalf such Specialist to process Personal Data provided that the Service Provider shall notify the Client in writing of such appointment and the identity and location of such Specialist. The Service Provider shall include substantially the same wording with respect to Data Protection Requirements as are set out in this Partnering Contract, including the terms set out in this document.
18.7 Save as set out in this document any unauthorised processing, use or disclosure of Personal Data by the Service Provider is strictly prohibited.
18.8 The Service Provider shall be liable for and shall indemnify (and keep indemnified) the Client against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and disbursements on a solicitor and Client basis) and demands incurred by the Client which arise directly or in connection with the Service Provider’s data processing activities under this Partnering Contract, including without limitation those arising out of any third party demand, claim or action, or any breach of contract, negligence, fraud, wilful misconduct, breach of statutory duty or non-compliance with any part of the Data Protection Requirements by the Service Provider or its employees, servants, agents or Specialists.
Appears in 1 contract
Samples: Term Partnering Contract
Data Protection. 22.1 With respect 1.1 The Councils acknowledge that for the purposes of the Data Protection Legislation, both Councils are the Joint Controllers of data. The only processing that the Councils are authorised to do is listed in Schedule 1 and may not be determined by either one of the Councils alone.
1.2 Both Councils shall notify the other immediately if it considers that any of the processing under the Agreement infringes the Data Protection Legislation.
1.3 The Councils shall provide all reasonable assistance to each other in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Parties' Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
1.4 Both Councils shall, in relation to any Personal Data processed in connection with its obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the (a) process that Personal Data only in accordance with instructions from Schedule 1, unless required to do otherwise by Law. If it is so required the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by Council shall promptly notify the Authority to the Supplier during the Term);
22.2.2 Process other Council before processing the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required unless prohibited by Law or any Regulatory BodyLaw;
22.2.3 implement (b) ensure that it has in place Protective Measures, which have been reviewed and approved by the other Council as appropriate technical and organisational measures to protect the Personal against a Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and Loss Event having regard to the taken account of the:
(i) nature of the Personal Data which is data to be protected;
22.2.4 (ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(c) ensure that:
(i) the Council’s Personnel do not process Personal Data except in accordance with this Agreement and in particular Schedule 1;
(ii) the Councils take all reasonable steps to ensure the reliability and integrity of any Supplier’s Staff Personnel who have access to the Personal DataData and ensure that they:
(A) are aware of and comply with the Council’s duties under this clause;
22.2.5 obtain prior Approval from (B) are subject to appropriate confidentiality undertakings with the Authority in order to transfer the Personal Data to Council or any Sub-Contractors or Affiliates for the provision of the ServicesSub- processor;
22.2.6 ensure that all Supplier Staff required to access the Personal Data (C) are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff do not publish, disclose or divulge any of the Personal Data to any third party Council unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:Council or as otherwise permitted by this Agreement; and
(aD) a request from a Data Subject to have access to that person's undergone adequate training in the use, care, protection and handling of Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description not transfer Personal Data outside of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without EU unless the prior written consent of both Councils has been obtained and the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply withfollowing conditions are fulfilled:
(i) the Council has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Councils;
(ii) the Data Subject has enforceable rights and effective legal remedies;
(iii) the Council complies with their obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 Legislation by providing an adequate level of protection to any Personal Data that is transferredtransferred (or, if it is not so bound, uses its best endeavours to assist the other Council in meeting its obligations); and
(iie) the Councils delete or return Personal Data (and any copies of it) to the other Council on termination of the Agreement unless the other Council is required by Law to retain the Personal Data.
1.5 Subject to clause 1.6, the Councils shall notify the other Council immediately if it receives a request relating to Personal Data in the other Council’s control including:
(a) a Data Subject Access Request (or purported Data Subject Access Request);
(b) a request to rectify, block or erase any Personal Data;
(c) any reasonable instructions notified other request, complaint or communication relating to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable either Council's obligations under the Data Protection Legislation;
(d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement;
(e) receives a request from any third Council for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
(f) becomes aware of a Data Loss Event.
1.6 The Councils obligations to notify under clause 1.5 shall include the provision of further information to the other Council in phases, as details become available.
1.7 Taking into account the nature of the processing, the Councils shall provide each other with full assistance in relation to either Council's obligations under Data Protection Legislation and any complaint, communication or request made under clause 1.5 (and insofar as possible within the timescales reasonably agreed) including by promptly providing:
(a) full details and copies of the complaint, communication or request;
(b) such assistance as is reasonably requested to enable the other Council to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
(c) the other Council, at its request, with any Personal Data it holds in relation to a Data Subject;
(d) assistance as requested by the other Council following any Data Loss Event;
(e) assistance as requested by the other Council with respect to any request from the Information Commissioner’s Office, or any consultation by the other Council with the Information Commissioner's Office.
1.8 The Councils shall maintain complete and accurate records and information to demonstrate its compliance with this clause.
1.9 The Councils shall allow for audits of its Data Processing activity by the other Council or the other Council’s designated auditor.
1.10 The Councils shall designate a data protection officer as required by the Data Protection Legislation.
1.11 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Councils must:
(a) notify the other Council in writing of the intended Sub-processor and processing;
(b) obtain the written consent of the other Council;
(c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause such that they apply to the Sub-processor; and
(d) provide the other Council with such information regarding the Sub-processor as the other Council may reasonably require.
1.12 The respective Council shall remain fully liable for all acts or omissions of any Sub- processor.
1.13 The Councils may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to controller standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement).
1.14 The Councils agree to take account of any guidance issued by the Information Commissioner’s Office. The Councils may on not less than 30 Working Days’ notice to the other Council amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
Appears in 1 contract
Data Protection. 22.1 23.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 23.2 The Supplier shall:
22.2.1 23.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 23.2.2 Process the Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Goods and Services or as is required by Law or any Regulatory Body;
22.2.3 23.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 23.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Supplier Staff who have access to the Personal Data;
22.2.5 23.2.5 obtain prior written Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision purpose of providing the Goods and Services;
22.2.6 23.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)23;
22.2.7 23.2.7 ensure that none of Supplier’s Supplier Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 23.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 23.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 23.2.10 The Supplier shall:
(a) 22.2.10.1 permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) 22.2.10.2 provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) 22.2.10.3 not cause or permit to be Processed processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) 22.2.10.3.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) 22.2.10.3.2 any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 23.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Samples: Framework Agreement
Data Protection. 22.1 With 11.1 The General Practice and Niche Health agree that, with respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier General Practice is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth and Niche Health is a Data Protection Principle set out in Schedule 1 Processor acting on behalf of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedGeneral Practice.
22.2.11 11.2 The Supplier General Practice shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement notify Niche Health promptly in such a way as to cause the Authority to event of any breach any by the General Practice of its applicable obligations under the Data Protection Legislation.
11.3 The General Practice undertakes to provide all necessary notices to and obtain all necessary consents from Data Subjects to enable the use of the Personal Data of those Data Subjects in accordance with the Data Protection Legislation.
11.4 To the extent that Niche Health is a Data Processor acting on the General Practice’s behalf, it shall:
11.4.1 Process the Personal Data only in accordance with the General Practice’s written instructions;
11.4.2 implement appropriate technical and organisational measures in accordance with the Data Protection Legislation to protect the Personal Data against a breach of security caused by unauthorised or unlawful processing and against accidental or unlawful destruction, loss, damage, alteration or unauthorised disclosure of or access to the Personal Data;
11.4.3 ensure that any employees or other persons authorised by Niche Health to process the Personal Data are subject to appropriate obligations of confidentiality;
11.4.4 not transfer the Personal Data outside of the European Economic Area without the prior written consent of the General Practice;
11.4.5 notify the General Practice, as soon as reasonably practicable, about any request or complaint received from a Data Subject (without responding to that request, unless authorised by the General Practice to do so) and assist the General Practice by technical and organisational measures, insofar as possible, for the fulfilment of its obligations in respect of such requests and complaints;
11.4.6 on request by the General Practice and taking into account the nature of the Processing and the information available to Niche Health, use reasonable endeavours to assist the General Practice in ensuring compliance with its obligations under Articles 32 to 36 of the General Data Protection Regulation (EU) 2016/679 (where applicable) in respect to the Personal Data;
11.4.7 subject to clause 11.5, not engage any third party to carry out Niche Health’s Processing obligations under this Licence without obtaining the General Practice’s prior written consent, and where such consent is given, procuring by way of a written contract that such third party will, at all times during the engagement, be subject to data processing obligations equivalent to those set out in this clause 11.4;
11.4.8 on request by the General Practice, make available the information necessary to demonstrate Niche Health's compliance with this clause 11.4 and on reasonable advance notice in writing otherwise permit, and contribute to, audits carried out by the General Practice (or its authorised representative) with respect to the Personal Data, provided that the General Practice shall (or shall ensure its authorised representatives shall):
(i) provide at least 30 working days’ advance notice of its intention to carry out an audit;
(ii) use reasonable endeavours to ensure that the conduct of any such audit does not unreasonably disrupt Niche Health's normal business operations; and
(iii) comply with Niche Health's IT and security policies whilst carrying out any such audit; and
11.4.9 on termination or expiry of this Licence, destroy or return to the General Practice all Personal Data and delete all existing copies of such data (except to the extent that Niche Health is required to keep or store such Personal Data by law).
11.5 The General Practice hereby consent to the use by Niche Health of the following category of sub-processor: IT service providers.
11.6 The General Practice acknowledge that clause 11.4 shall not apply to the extent that Niche Health is required by law to Process the Personal Data other than in accordance with the General Practice’s instructions and, in such case, Niche Health shall inform the General Practice of the relevant legal requirement prior to Processing (unless the law prohibits the provision of such information on important grounds of public interest).
11.7 The General Practice shall reimburse any reasonable costs incurred by Niche Health in the performance of its obligations under clauses 11.4.5, 11.4.6 and 11.4.8.
11.8 For the purposes of clause 11.4:
11.8.1 the type of Personal Data are:
(i) the details of a patient’s medical record, including surname, forename, NHS number, date of birth, address and the coded information, free text and attachments forming part of a patient’s medical record; and
(ii) names and contact details of Authorised Users;
11.8.2 the categories of Data Subjects are:
(i) the patients registered with and/or treated by the General Practice; and
(ii) the Authorised Users;
11.8.3 the nature/purpose of the Processing is to enable Niche Health to make available the Product and associated services (which form the subject matter of the Processing); and
11.8.4 the duration of the Processing shall be the term of this Licence.
Appears in 1 contract
Samples: End User Licence Agreement
Data Protection. 22.1 15.1 The Service Provider acknowledges the Authority's ownership of Intellectual Property Rights which may subsist in the Authority’s Data. The Service Provider shall not delete or remove any copyright notices contained within or relating to the Authority’s Data.
15.2 The Service Provider and the Authority shall each take reasonable precautions (having regard to the nature of their other respective obligations under this Agreement) to preserve the integrity of the Authority’s Data and to prevent any corruption or loss of the Authority’s Data.
15.3 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree acknowledge that the Authority is the a Data Controller and that the Supplier Service Provider is the a Data Processor.
22.2 15.4 The Supplier Service Provider shall:
22.2.1 15.4.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in to perform its obligations under this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term)Agreement;
22.2.2 Process the Personal Data only to the extent, and 15.4.2 ensure that at all times it has in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement place appropriate technical and organisational measures to protect the Personal Data guard against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to processing of the harm which might result from any unauthorised or unlawful Processing, Personal Data and/or accidental loss, destruction or damage to the Personal Data and having regard to the nature of Data;
15.4.3 not disclose or transfer the Personal Data which to any third party or Service Provider Personnel unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Authority (save where such disclosure or transfer is to be protectedspecifically authorised under this Agreement);
22.2.4 15.4.4 take all reasonable steps to ensure the reliability and integrity of any Supplier’s Staff Service Provider Personnel who have access to the Personal DataData and ensure that the Service Provider Personnel:
15.4.4.1 are aware of and comply with the Service Provider's duties under this Xxxxxx and Clause 17 (Confidentiality);
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data 15.4.4.2 are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityAuthority or as otherwise permitted by this Agreement; and
15.4.4.3 have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA);
22.2.8 15.4.5 notify the Authority within five (5) Working Days if it receives:
(a) a request 15.4.5.1 from a Data Subject (or third party on their behalf): (A) a Data Subject Access Request (or purported Data Subject Access Request); (B) a request to have access to that person's rectify, block or erase any Personal Data; or
or (bC) a any other request, complaint or request communication relating to the Authority's obligations under the Data Protection LegislationDPA;
22.2.9 15.4.5.2 any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or
15.4.5.3 a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law;
15.4.6 provide the Authority with full cooperation and assistance (within the timescales reasonably required by the Authority) in relation to any complaint complaint, communication or request mademade as referred to in Clause 15.4.5, including byby promptly providing:
(a) providing 15.4.6.1 the Authority with full details and copies of the complaint complaint, communication or request;
(b) complying 15.4.6.2 where applicable, such assistance as is reasonably requested by the Authority to enable the Authority to comply with a data access request the Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation and in accordance with DPA; and
15.4.6.3 the Authority's instructions;
(c) providing , on request by the Authority Authority, with any Personal Data it holds in relation to a Data Subject (within the timescales required by the AuthoritySubject; and
(d) providing the Authority with any information 15.4.7 if requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the measures that it has taken and technical and organisational methods employed by security measures in place, for the Supplier for Processing purpose of compliance with its obligations pursuant to this Clause and provide to the Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals.
15.5 The Service Provider shall not Process or otherwise transfer any Personal Data (within the timescales required by the Authority); and
(c) not cause in or permit to be Processed and/or otherwise transferred any country outside the European Economic Area or any country not deemed adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together "Restricted Countries"). If, after the Effective Date, the Service Provider or any Sub-contractor wishes to Process and/or transfer any Personal Data supplied in or to it by any Restricted Countries, the following provisions shall apply:
15.5.1 the Service Provider shall submit a Change Request to the Authority or any Other Contracting Body without the prior written consent of which, if the Authority or Contracting Body concerned andagrees to such Change Request, where shall be dealt with in accordance with the Authority or Other Contracting Body concerned consents Change Control Procedure and Clauses 15.3.2 to Processing and/or transfer outside 15.3.4
15.5.2 the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle Service Provider shall set out in Schedule 1 its Change Request and/or Impact Assessment details of the following:
15.5.2.1 the Personal Data Protection Act 1998 by providing which will be transferred to and/or Processed in any Restricted Countries;
15.5.2.2 the Restricted Countries which the Personal Data will be transferred to and/or Processed in; and
15.5.2.3 any Sub-contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries;
15.5.2.4 how the Service Provider will ensure an adequate level of protection to any and adequate safeguards in respect of the Personal Data that is transferredwill be Processed in and/or transferred to Restricted Countries so as to ensure the Authority's compliance with the DPA;
15.5.3 in providing and evaluating the Change Request and Impact Assessment, the Parties shall ensure that they have regard to and comply with then-current Authority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and
15.5.4 the Service Provider shall comply with such other instructions and shall carry out such other actions as the Authority may notify in writing, including:
15.5.4.1 incorporating standard and/or model clauses (ii) any reasonable instructions notified to it which are approved by the European Commission as offering adequate safeguards under the DPA) into this Agreement or a separate data processing agreement between the Parties; and
15.5.4.2 procuring that any Sub-contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into:
(A) a direct data processing agreement with the Authority or Contracting Body concernedon such terms as may be required by the Authority; or
(B) a data processing agreement with the Service Provider on terms which are equivalent to those agreed between the Authority and the Sub- contractor relating to the relevant Personal Data transfer, and in each case which the Service Provider acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority deems necessary for the purpose of protecting Personal Data.
22.2.11 15.6 The Supplier Service Provider shall use its reasonable endeavours to assist the Authority to comply at all times with any obligations under the Data Protection Legislation DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable the Authority's obligations under the Data Protection LegislationDPA to the extent the Service Provider is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 1 contract
Samples: Service Agreement
Data Protection. 22.1 With respect 16.1. In relation to any Personal Data processed in performance of the Services, each party shall comply with its respective obligations under the Data Protection Act 2018 and the General Data Protection Regulation (EU) 2016/679, Directive 95/46/EC and any successor legislation (“Data Protection Laws”). In this regard, Asite acts as Customer’s or Authorised Users ‘data processor’ (the terms ‘data processor’, ‘data subprocessor’ and ‘data controller’ having the meaning given to the Parties' rights term "controller" and obligations under this Framework Agreement"processor" (respectively) in Article 4 of the UK GDPR with the Customer’s Customer acting as the data controller, the Parties agree Customer acting as the data processor and Asite acting as subprocessor). Both parties will ensure that the Authority any data and/or any Personal Data processed pursuant to this Agreement (including where any third parties are used to process any Personal Data) is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shallso processed in conformance with:
22.2.1 Process 16.1.1. Asite’s technical and security measures (which policies shall be available in electronic form within the Site from time to time) to protect such Personal Data only against accidental loss or unlawful destruction, alteration, disclosure or access;
16.1.2. Customer’s or Authorised User’s express instructions (provided they are reasonable and in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified applicable law); and
16.1.3. All data held by the Authority to Asite platform is held securely in data centres based in the Supplier during the Term);United Kingdom.
22.2.2 Process the Personal Data only to the extent, 16.2. Asite shall at all times implement and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement maintain appropriate technical and organisational measures to protect the Personal Data against accidental, unauthorised or unlawful Processing and against accidental destruction, loss, destructionalteration, damage, alteration disclosure or disclosureaccess.
16.3. These measures Asite shall be appropriate (at its own expense) promptly provide such information and assistance as the Customer may reasonably require in relation to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature fulfilment of the Personal Customer’s obligations to respond to requests for exercising the data subject’s rights under Chapter III of the General Data Protection Regulation (EU) 2016/679 (and any similar obligations under applicable Data Protection Laws).
16.4. Asite shall indemnify and keep indemnified at its own expense the Customer against all claims, liabilities, damages, administrative fines, costs or expenses incurred by the Customer or for which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data Customer may become liable due to any Subfailure by Asite (as sub-Contractors processor or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required its subcontractors, agents or personnel) to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint its obligations under this agreement or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation Laws including but not limited to any complaint data breaches. Notwithstanding the provision under this clause 16.4, the liability of Asite in respect of all claims under this clause shall be limited to £1,000,000 (one million pounds).
16.5. Asite shall indemnify Customer against all claims, liabilities, damages, administrative fines, costs or request madeexpenses occurred by the Customer due to loss or damage or corruption or destruction of data resulting from any act or omission of Asite or any malfunction if its platform.
16.6. Asite shall maintain complete, including by:
(a) providing the Authority with full details accurate and up-to-date written records of all categories of processing activities carried out on behalf of the complaint or Customer and such records shall be made available to Customer upon written reasonable request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Samples: Master Services Agreement
Data Protection. 22.1 With respect 3.2.1. The Parties’ attention is drawn to the Parties' rights Data Protection Xxx 0000, Directive 95/46/EC of the European Parliament and any legislation and/or regulations implementing them or made in pursuance of them (the “Data Protection Requirements”). The End-User acknowledges that Royal Mail is the data controller in respect of any personal data in the Data. Royal Mail and the Solutions Provider acknowledge that the End-User is the data controller in respect of any personal data in its own database whether it has been cleansed, modified or otherwise. The End-User agrees it will not do or omit to do any act which would place it, the Solutions Provider or Royal Mail in breach of the Data Protection Requirements and each Party warrants to the other that it will duly observe all its obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and Protection Requirements which arise in connection with the performance of this Licence Agreement. The End-User agrees that the Supplier is the Data Processor.
22.2 The Supplier it shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 3.2.1.1. implement appropriate technical and organisational measures to protect personal data within the Personal Data against unauthorised accidental or unlawful Processing and against destruction or accidental loss, destructionalteration, damage, alteration unauthorised disclosure or disclosureaccess;
3.2.1.2. These measures shall be appropriate promptly refer to Royal Mail (either directly or indirectly via the Solutions Provider any queries relating to the harm which might result personal data within the Data from data subjects, the Information Commissioner or any unauthorised or unlawful Processingother law enforcement authority, accidental lossfor Royal Mail to resolve;
3.2.1.3. promptly upon request from Royal Mail provide such information to Royal Mail as Royal Mail may reasonably require to allow it to comply, destruction or damage in relation to the Personal Data and having regard personal data within the Data, with the rights of data subjects, including subject access rights, or with information notices served by the Information Commissioner; and
3.2.1.4. ensure that if, during the term of this Licence Agreement, it intends to make any transfers of personal data within the nature of the Personal Data which is are not European Commission Approved Transfers, then it shall, prior to be protected;
22.2.4 take all reasonable steps any such transfer, obtain Royal Mail’s consent and at the End-User’s own cost provide such further information and sign such further documents, agreements or deeds as Royal Mail may require to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision adequate protection of the Services;personal data.
22.2.6 ensure that all Supplier Staff required 3.2.2. For the purposes of this clause 3.2 “data controller”, “data subject”, “personal data” and “processing” shall have the meanings ascribed to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out them in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedXxx 0000.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Samples: Terms & Conditions
Data Protection. 22.1 With respect 15.1 The SERVICE PROVIDER‟s attention is hereby drawn to the Parties' rights Data Protection Requirements. The CUSTOMER and the SERVICE PROVIDER shall observe their obligations under the Data Protection Requirements.
15.2 Where the SERVICE PROVIDER, pursuant to its obligations under this Framework AgreementContract, undertakes the Parties agree that Processing of Personal Data on behalf of the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier CUSTOMER, it shall:
22.2.1 Process 15.2.1 carry out the Processing of Personal Data only in accordance with instructions from the Authority CUSTOMER (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement Contract or as otherwise notified by the Authority CUSTOMER to the Supplier SERVICE PROVIDER during the Term);
22.2.2 Process 15.2.2 carry out the processing of Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Ordered Services or as is required by Law or any Regulatory Body;
22.2.3 15.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 15.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff SERVICE PROVIDER personnel who have access to the Personal Data;
22.2.5 15.2.5 obtain prior Approval written consent from the Authority CUSTOMER in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Ordered Services;
22.2.6 15.2.6 ensure that all Supplier Staff any SERVICE PROVIDER personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)15;
22.2.7 15.2.7 ensure that none of Supplier’s Staff the SERVICE PROVIDER personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCUSTOMER;
22.2.8 15.2.8 notify the Authority CUSTOMER (within five (5) Working Days Days) if it receives:
(a) 15.2.8.1 a request from a Data Subject to have access to that person's person‟s Personal Data; or
(b) 15.2.8.2 a complaint or request relating to the Authority's CUSTOMER‟s obligations under the Data Protection LegislationRequirements;
22.2.9 15.2.9 provide the Authority CUSTOMER with full cooperation and assistance in relation to any complaint or request made, including by:
(a) 15.2.9.1 providing the Authority CUSTOMER with full details of the complaint or request;
(b) 15.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation Requirements and in accordance with the Authority's CUSTOMER‟s instructions;
(c) 15.2.9.3 providing the Authority CUSTOMER with any Personal Data it holds in relation to a Data Subject (within the timescales required by the AuthorityCUSTOMER); and
(d) 15.2.9.4 providing the Authority CUSTOMER with any information requested by the AuthorityCUSTOMER;
22.2.10 The Supplier shall:
(a) 15.2.10 permit the Authority CUSTOMER or the Authority’s Representative its representatives (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, audit the Supplier's SERVICE PROVIDER‟s data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority CUSTOMER to enable the Authority CUSTOMER to verify and/or procure that the Supplier SERVICE PROVIDER is in full compliance with its obligations under this Framework AgreementContract. In this respect, the SERVICE PROVIDER shall be responsible for maintaining the confidentiality of information relating to its other clients;
(b) 15.2.11 provide a written description of the technical and organisational methods employed by the Supplier SERVICE PROVIDER for Processing Personal Data (within the timescales required by the AuthorityCUSTOMER); and
(c) 15.2.12 not cause or permit to be Processed and/or otherwise transferred undertake the Processing of Personal Data outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned CUSTOMER and, where the Authority or Other Contracting Body concerned CUSTOMER consents to Processing and/or transfer outside the European Economic Areaa transfer, to comply with:
(i) 15.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) 15.2.12.2 any reasonable instructions notified to it by the Authority or Contracting Body concernedCUSTOMER.
22.2.11 15.3 The Supplier SERVICE PROVIDER shall comply at all times with the Data Protection Legislation Requirements and shall not perform its obligations under this Framework Agreement Contract in such a way as to cause the Authority CUSTOMER to breach any of its applicable obligations under the Data Protection LegislationRequirements.
15.4 The CUSTOMER may from time to time serve on the SERVICE PROVIDER an information notice requiring the SERVICE PROVIDER within such time and in such form as is specified in the information notice, to furnish to the CUSTOMER such information as the CUSTOMER may reasonably require relating to:
15.4.1 compliance by the SERVICE PROVIDER with the SERVICE PROVIDER‟s obligations under this Contract in connection with the Processing of Personal Data; and/or
15.4.2 the rights of Data Subjects, including but not limited to subject access rights.
15.5 The SERVICE PROVIDER will allow its data Processing facilities, procedures and documentation to be submitted for scrutiny by the CUSTOMER or its auditors in order to ascertain compliance with the relevant laws of the United Kingdom and the terms of this Contract. In this respect, the SERVICE PROVIDER shall be responsible for maintaining the confidentiality of information relating to its other clients.
15.6 With respect to the parties‟ rights and obligations under this Contract, the parties acknowledge that, except where otherwise agreed, the CUSTOMER is the Data Controller and the SERVICE PROVIDER is the Data Processor. Where the SERVICE PROVIDER wishes to appoint, in accordance with the provisions of Clause 29, a Sub-Contractor to assist it in providing the Ordered Services and such assistance includes the Processing of Personal Data on behalf of the CUSTOMER, then, subject always to compliance by the SERVICE PROVIDER with the provisions of Clause 29 relating to the appointment of Sub-Contractors, the CUSTOMER hereby grants to the SERVICE PROVIDER a delegated authority to appoint on the CUSTOMER‟S behalf such Sub-Contractor to undertake the Processing of Personal Data provided that the SERVICE PROVIDER shall notify the CUSTOMER in writing of such appointment and the identity and location of such Sub-Contractor. The SERVICE PROVIDER warrants that such appointment shall be on substantially the same terms with respect to Data Protection Requirements as are set out in this Contract, including the terms set out in Clause 15.2. Any Sub-Contractor appointed under the provisions of this Clause 15.6 shall, for the purposes of Schedule 2-8, be regarded as a principal Sub-Contractor and shall be specified in Table 1 of Schedule 2-8.
15.7 Save as set out in this Clause 15, any unauthorised Processing, use or disclosure of personal data by the SERVICE PROVIDER is strictly prohibited.
15.8 The SERVICE PROVIDER shall be liable for and shall indemnify (and keep indemnified) the CUSTOMER against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and disbursements on a solicitor and client basis) and demands incurred by the CUSTOMER which arise directly or in connection with the SERVICE PROVIDER‟s data Processing activities under this Contract, including without limitation those arising out of any third party demand, claim or action, or any breach of contract, negligence, fraud, wilful misconduct, breach of statutory duty or non-compliance with any part of the Data Protection Requirements by the SERVICE PROVIDER or its employees, servants, agents or Sub-Contractors.
Appears in 1 contract
Samples: Consultancy Services Agreement
Data Protection. 22.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is 18.1 Both parties will comply with all applicable requirements of the Data Controller and that the Supplier Protection Legislation. This clause 18 is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extentaddition to, and in such mannerdoes not relieve, as it necessary for the provision of the Services remove or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental lossreplace, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authorityparty's obligations under the Data Protection Legislation;.
22.2.9 provide 18.2 The parties acknowledge that for the Authority with full cooperation purposes of the Data Protection Legislation, the Council is the data controller and assistance the Provider is the data processor (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation). Appendix 4 of the Individual Services Contract terms and conditions sets out the scope, nature and purpose of processing by the Provider, the duration of the processing and the types of personal data (as defined in the Data Protection Legislation, Personal Data) and categories of Data Subject.
18.3 Without prejudice to the generality of clause 18.1, the Council will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Provider for the duration and purposes of this agreement.
18.4 Without prejudice to the generality of clause 18.1, the Provider shall, in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out Personal Data processed in the Data Protection Legislation and in accordance connection with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required performance by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those Provider of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreementagreement:
18.4.1 process that Personal Data only on the written instructions of the Council unless the Provider is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Provider to process Personal Data (Applicable Laws). Where the Provider is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, the Provider shall promptly notify the Council of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Provider from so notifying the Council;
18.4.2 ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Council, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (b) provide those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a written description timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational methods employed measures adopted by the Supplier for Processing it);
18.4.3 ensure that all personnel who have access to and/or process Personal Data (within are obliged to keep the timescales required by the Authority)Personal Data confidential; and
(c) 18.4.4 not cause or permit to be Processed and/or otherwise transferred transfer any Personal Data outside of the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without unless the prior written consent of the Authority or Contracting Body concerned and, where Council has been obtained and the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply withfollowing conditions are fulfilled:
(ia) the Council or the Provider has provided appropriate safeguards in relation to the transfer;
(b) the data subject has enforceable rights and effective legal remedies;
(c) the Provider complies with its obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(iid) any the Provider complies with reasonable instructions notified to it in advance by the Authority or Contracting Body concerned.Council with respect to the processing of the Personal Data;
22.2.11 The Supplier shall comply 18.4.5 assist the Council, at all times the Council’s cost, in responding to any request from a Data Subject and in ensuring compliance with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection LegislationLegislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
18.4.6 notify the Council without undue delay on becoming aware of a Personal Data breach;
18.4.7 at the written direction of the Council, delete or return Personal Data and copies thereof to the Council on termination of the agreement unless required by Applicable Law to store the Personal Data; and
18.4.8 maintain complete and accurate records and information to demonstrate its compliance with this clause 18 and allow for audits by the Council or the Council’s designated auditor.
18.5 The Council does not consent to the Provider appointing any third party processor of Personal Data under this Services Agreement.
18.6 The Provider may, at any time on not less than 30 days’ notice, revise this clause 18 by replacing it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme (which shall apply when replaced by attachment to this Services Agreement).
Appears in 1 contract
Samples: Services Agreement
Data Protection. 22.1 With respect 17.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Council is the Controller and the Service Provider is the Processor. The only processing that the Provider is authorised to do is listed in Schedule 3 (Processing, Personal Data and Data Subjects) by the Council and may not be determined by the Contractor.
17.2 The Service Provider shall notify the Council immediately if it considers that any of the Council's instructions infringe the Data Protection Legislation.
17.3 The Service Provider shall provide all reasonable assistance to the Parties' Council in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Council, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
17.4 The Service Provider shall, in relation to any Personal Data processed in connection with its obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shallcontract:
22.2.1 Process the a. process that Personal Data only in accordance with instructions from Schedule 3 (Processing, Personal Data and Data Subjects), unless the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as Service Provider is required to do otherwise notified by Law. If it is so required the Authority to Service Provider shall promptly notify the Supplier during the Term);
22.2.2 Process Council before processing the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required unless prohibited by Law or any Regulatory BodyLaw;
22.2.3 implement b. ensure that it has in place Protective Measures, which have been reviewed and approved by the Council as appropriate technical and organisational measures to protect the Personal against a Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and Loss Event having regard to the taken account of the:
(a) nature of the Personal Data which is data to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure (b) harm that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request might result from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructionsLoss Event;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authoritystate of technological development; and
(d) providing the Authority with cost of implementing any information requested by the Authoritymeasures;
22.2.10 The Supplier shallc. ensure that:
(aI) permit the Authority or the AuthorityService Provider’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Staff do not process Personal Data except in accordance with this contract (within the timescales required by the Authority); and
and in particular Schedule 3 (c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Processing, Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(iand Data Subjects) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.;
Appears in 1 contract
Data Protection. 22.1 16.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree acknowledge that the Authority is the a Data Controller and that the Supplier Service Provider is the a Data Processor.
22.2 16.2 The Supplier Service Provider shall:
22.2.1 16.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in to perform its obligations under this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term)Agreement;
22.2.2 Process the Personal Data only to the extent, and 16.2.2 ensure that at all times it has in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement place appropriate technical and organisational measures to protect the Personal Data guard against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to processing of the harm which might result from any unauthorised or unlawful Processing, Personal Data and/or accidental loss, destruction or damage to the Personal Data and having regard to the nature of Data;
16.2.3 not disclose or transfer the Personal Data which to any third party or Service Provider Personnel unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Authority (save where such disclosure or transfer is to be protectedspecifically authorised under this Agreement);
22.2.4 16.2.4 take all reasonable steps to ensure the reliability and integrity of any Supplier’s Staff Service Provider Personnel who have access to the Personal DataData and ensure that the Service Provider Personnel:
16.2.4.1 are aware of and comply with the Service Provider's duties under this Clause 16 and Clause 18 (Confidentiality);
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data 16.2.4.2 are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityAuthority or as otherwise permitted by this Agreement; and
16.2.4.3 have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA);
22.2.8 16.2.5 notify the Authority within five (5) 5 Working Days if it receives:
16.2.5.1 from a Data Subject (or third party on their behalf): (a) a request from a Data Subject to have access to that person's Personal DataAccess Request (or purported Data Subject Access Request); or
(b) a request to rectify, block or erase any Personal Data; or (c) any other request, complaint or request communication relating to the Authority's obligations under the Data Protection LegislationDPA;
22.2.9 16.2.5.2 any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or
16.2.5.3 a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law;
16.2.6 provide the Authority with full cooperation and assistance (within the timescales reasonably required by the Authority) in relation to any complaint complaint, communication or request mademade as referred to in Clause 16.2.5, including byby promptly providing:
(a) providing 16.2.6.1 the Authority with full details and copies of the complaint complaint, communication or request;
(b) complying 16.2.6.2 where applicable, such assistance as is reasonably requested by the Authority to enable the Authority to comply with a data access request the Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation and in accordance with DPA; and
16.2.6.3 the Authority's instructions;
(c) providing , on request by the Authority Authority, with any Personal Data it holds in relation to a Data Subject (within the timescales required by the AuthoritySubject; and
(d) providing the Authority with any information 16.2.7 if requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the measures that it has taken and technical and organisational methods employed by security measures in place, for the Supplier for Processing purpose of compliance with its obligations pursuant to this Clause and provide to the Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals.
16.3 The Service Provider shall not Process or otherwise transfer any Personal Data (within the timescales required by the Authority); and
(c) not cause in or permit to be Processed and/or otherwise transferred any country outside the European Economic Area or any country not deemed adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together "Restricted Countries"). If, after the Effective Date, the Service Provider or any Sub-contractor wishes to Process and/or transfer any Personal Data supplied in or to it by any Restricted Countries, the following provisions shall apply:
16.3.1 the Service Provider shall submit a Change Request to the Authority or any Other Contracting Body without the prior written consent of which, if the Authority or Contracting Body concerned andagrees to such Change Request, where shall be dealt with in accordance with the Authority or Other Contracting Body concerned consents Change Control Procedure and Clauses 16.3.3 to Processing and/or transfer outside 16.3.4;
16.3.2 the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle Service Provider shall set out in Schedule 1 its Change Request and/or Impact Assessment details of the following:
16.3.2.1 the Personal Data Protection Act 1998 by providing which will be transferred to and/or Processed in any Restricted Countries;
16.3.2.2 the Restricted Countries which the Personal Data will be transferred to and/or Processed in; and
16.3.2.3 any Sub-contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries;
16.3.2.4 how the Service Provider will ensure an adequate level of protection to any and adequate safeguards in respect of the Personal Data that is transferredwill be Processed in and/or transferred to Restricted Countries so as to ensure the Authority's compliance with the DPA;
16.3.3 in providing and evaluating the Change Request and Impact Assessment, the Parties shall ensure that they have regard to and comply with then-current Authority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and
16.3.4 the Service Provider shall comply with such other instructions and shall carry out such other actions as the Authority may notify in writing, including:
16.3.4.1 incorporating standard and/or model clauses (ii) any reasonable instructions notified to it which are approved by the European Commission as offering adequate safeguards under the DPA) into this Agreement or a separate data processing agreement between the Parties; and
16.3.4.2 procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into:
(a) a direct data processing agreement with the Authority or Contracting Body concernedon such terms as may be required by the Authority; or
(b) a data processing agreement with the Service Provider on terms which are equivalent to those agreed between the Authority and the Sub- Contractor relating to the relevant Personal Data transfer, and in each case which the Service Provider acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority deems necessary for the purpose of protecting Personal Data.
22.2.11 16.4 The Supplier Service Provider shall use its reasonable endeavours to assist the Authority to comply at all times with any obligations under the Data Protection Legislation DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable the Authority's obligations under the Data Protection LegislationDPA to the extent the Service Provider is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 1 contract
Samples: Services Agreement
Data Protection. 22.1 With respect to the Parties' rights 30.1 Encompass shall agree and obligations under this Framework Agreement, enter into an information sharing protocol as agreed by the Parties agree that the Authority is and the Data Controller and that Processing Contract when Encompass is acting as a data processor on behalf of the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature Council as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);Schedule 11 and at all times act in compliance with these.
22.2.2 Process the Personal Data only to the extent, 30.2 Encompass shall (and shall procure that any of its personnel involved in such manner, as it necessary for the provision of the Services or under this Agreement shall) comply with any notification requirements under the DPA and the Parties shall duly observe all their obligations under the DPA, which arise in connection with the Agreement. Furthermore, Encompass shall adhere with all applicable provisions of the Data Protection Legislation.
30.3 Notwithstanding the general obligation in Clause 30.2, where Encompass is processing Personal Data as is required by Law or any Regulatory Body;
22.2.3 implement a Data Processor for the Council, Encompass shall ensure that it has in place appropriate technical and organisational contractual measures to protect ensure the security of the Personal Data (and to guard against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to processing of the Personal Data and having regard against accidental loss or destruction of, or damage to, the Personal Data), as required under the Seventh Data Protection Principle in Schedule 1 to the nature DPA. This shall include (but not be limited to) maintaining secure and encrypted email facilities for the receipt and disclosure of personal data using methods or networks agreed with the Personal Data which is to be protected;Council.
22.2.4 take 30.4 Encompass shall:
30.4.1 ensure that all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to Personal Data have completed Information Governance Training or equivalent training agreed by the Personal DataCouncil as Data Controller;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) 30.4.2 provide a written description of the technical and organisational methods employed by the Supplier Data Processor for Processing processing Personal Data (within the timescales required by the AuthorityCouncil as a Data Controller);
30.4.3 identify a responsible person for all information governance issues and the protection of all Personal Data that it processes;
30.4.4 provide the Council with such information as the Council may reasonably require to satisfy itself that Encompass is complying with its obligations under the DPA;
30.4.5 notify the Council within 24 hours of any breach of the security measures required to be put in place pursuant to this clause;
30.4.6 provide the Council with full co-operation and assistance in relation to any complaint or request made pursuant to this clause; and
30.4.7 ensure it does not knowingly or negligently do or omit to do anything which places the Council in breach of the Council's obligations under the DPA.
30.5 Encompass shall notify the Council (cas Data Controller) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to within two Working Days, if it receives:
30.5.1 A Subject Access Request as defined by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of legislation from a Data Controller under Subject to have access to that person’s Personal Data; or
30.5.2 A complaint or request relating to the Eighth Council’s (as Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(iiController) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislationlegislation.
30.5.3 Save for any requests for copies of previous applications submitted by Data Subjects to Encompass, for any other request from a Data Subject Encompass shall complete a data request record and provide the Council with a monthly report of such requests or at such frequency as the Council may require.
30.6 The provisions of this clause shall apply during the continuance of this Agreement and indefinitely after its expiry or termination or until all data is returned to the Council who is the Data Controller.
Appears in 1 contract
Data Protection. 22.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Both Parties agree that the Authority is will comply with all applicable requirements of the Data Controller and that the Supplier Protection Legislation. This Clause 21 is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extentaddition to, and in such mannerdoes not relieve, as it necessary for the provision of the Services remove or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental lossreplace, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the AuthorityParty's obligations under the Data Protection Legislation. Without prejudice to the generality of Clause 21.1, Client shall:
21.3.1 ensure that it or (where applicable) the relevant Data Controller has all necessary appropriate consents and notices in place to enable the Processing of the Personal Data by CSI for the duration and purposes of this agreement;
22.2.9 provide 21.3.2 ensure that any Personal Data that it or (where applicable) the Authority relevant Data Controller provides is lawfully disclosed or provided to CSI;
21.3.3 not cause CSI to be in breach of the Data Protection Legislation;
21.3.4 ensure that any instructions provided to CSI regarding the Processing of Personal Data are lawful and shall, at all times, be in accordance with full cooperation Data Protection Legislation;
21.3.5 accept that it has sole responsibility for the technical and assistance organisational measures employed in the Client’s Environments (except where expressly stated as the responsibility of CSI in an Order) and shall maintain any appropriate measures (including any reasonable measures recommended by CSI) in respect of the security of the Personal Data, which may include the pseudonymisation and encryption of the Personal Data; and
21.3.6 ensure that the Personal Data shall not include any Sensitive Personal Data (as defined in the Data Protection Legislation) without first agreeing additional data protection and information security controls with CSI. Without prejudice to the generality of Clause 21.1, CSI shall, in relation to any complaint Personal Data Processed in connection with the performance by CSI of its obligations under this agreement:
21.4.1 Process that Personal Data only on the written instructions of the Client unless CSI is required by Applicable Laws to Process Personal Data. Where CSI is relying on Applicable Laws as the basis for Processing Personal Data, CSI shall promptly notify the Client of this before performing the Processing required by the Applicable Laws unless those Applicable Laws prohibit CSI from so notifying the Client;
21.4.2 ensure that it has in place the technical and organisational measures set out in Schedule 2 to protect against unauthorised or request madeunlawful Processing of Personal Data and against accidental loss or destruction of, including byor damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful Processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, ensuring the pseudonymisation, encryption, confidentiality, integrity, availability and resilience of its systems and services, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
21.4.3 ensure that all Personnel, suppliers and sub-contractors who have access to and/or Process the Personal Data are obliged to keep the Personal Data confidential;
21.4.4 not transfer or Process any Personal Data outside of the European Economic Area unless the prior written consent of the Client has been obtained and the following conditions are fulfilled:
(a) providing the Authority with full details of Client or CSI has provided appropriate safeguards in relation to the complaint or requesttransfer;
(b) complying with a data access request within the relevant timescales Data Subjects have enforceable rights and effective legal remedies as set out in the Data Protection Legislation and in accordance with the Authority's instructionsLegislation;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance CSI complies with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(iid) any CSI complies with reasonable instructions notified to it in advance by the Client with respect to the Processing of the Personal Data;
21.4.5 promptly inform Client on, and in any event within five (5) Business Days of, receipt of any communication from a Data Subject, Supervisory Authority or Contracting Body concerned.authorised third party regarding the Processing of Client Data;
22.2.11 The Supplier shall comply at all times with 21.4.6 if a Data Subject exercises any of its rights under the Data Protection Legislation (including rights of access, correction, blocking, suppression or deletion as are available to such individual) CSI shall, at Client’s cost, promptly provide reasonable assistance in the provision of such information related to the CSI’s Processing as Client reasonably requires;
21.4.7 assist Client in responding to any request from a Data Subject and shall not perform in ensuring compliance with its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with Supervisory Authorities and/or regulators and CSI shall be entitled to levy an additional charge on the Client for its reasonable time and effort utilised in providing such prompt cooperation and assistance as well as any costs and expenses incurred where any assistance provided is outside the scope of the Managed Services and Services;
21.4.8 promptly co-operate with all reasonable requests or directions arising directly from, or in connection with the exercise of its powers by a Supervisory Authority;
21.4.9 notify the Client without undue delay, and in any event within forty eight (48) hours, on becoming aware of a known or suspected Personal Data Breach and/or shall provide Client with all reasonable assistance in providing information for and in the reporting of a Personal Data Breach to the relevant Supervisory Authority;
21.4.10 notify Client if any instructions of the Client shall, to the knowledge of CSI, infringe Data Protection Legislation;
21.4.11 at the written direction of the Client, delete or return the Personal Data and copies thereof to the Client on request, and in any event on expiry or termination of an applicable Order or expiry or termination of this agreement unless required by Applicable Law to store the Personal Data; and
21.4.12 maintain complete and accurate records of Processing and other appropriate information to demonstrate its compliance with this Clause 21;
21.4.13 CSI shall allow for and contribute to audits, including inspections, conducted by the Client, the Client’s customers or another independent auditor proposed by the Client and approved by CSI, for the purpose of demonstrating compliance by CSI and with their obligations under this Clause 21 provided that the Client gives CSI reasonable prior notice of such audit and/or inspection and they are limited to no more than once per annum unless (i) otherwise agreed by CSI or (ii) if CSI has been found to be in breach of this Clause 21 within the previous twelve (12) months and Client wishes to confirm that CSI is now compliant. CSI shall be entitled to levy an additional charge on the Client for its reasonable time and effort utilised in providing such contribution and assistance as well as any costs and expenses incurred for additional audits over the once per annum except where CSI has been found to be in breach of this Clause 21 within the previous twelve (12) months. The Client consents to CSI appointing any third parties notified to the Client as a third- party processor to Process Personal Data (“Sub-processors”) under this agreement. CSI confirms that it has entered into, or (as the case may be) will use its reasonable endeavours to enter into a written agreement incorporating terms which are substantially similar to and as far as reasonably possible on terms that are no less onerous than those set out in this Clause 21. As between the Client and the CSI, CSI shall remain fully liable for all acts or omissions of any Sub-processors appointed by it pursuant to this Clause 21. CSI shall promptly notify Client in writing of any loss or damage to the Client Data. In the event of any loss or damage to Client Data, Client's sole and exclusive remedy shall be for CSI to use reasonable commercial endeavours to restore the lost or damaged Client Data from the latest backup of such Client Data. CSI shall not be responsible for any loss, destruction, alteration or unauthorised disclosure of Client Data caused by any third party (except those third parties subcontracted by CSI to perform services related to Client Data maintenance and back-up) nor for the security or integrity of any Client Personal Data during its transmission via public telecommunications facilities, the Internet or similar.
21.7.1 the Parties shall execute and shall comply with the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), in the form set out in Schedule 7 to this agreement; and
21.7.2 the Parties agree that CSI shall be entitled to levy such additional charges costs and expenses in respect of its assistance and cooperation as provided for under Clause 21.7. The Client acknowledges and agrees that CSI has appointed or may appoint Sub- processors outside of the UK and the European Economic Area and (i) the Client consents to CSI subcontracting its processing operations performed on behalf of the Client to such Sub-processors; (ii) the Parties shall comply with the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to- processor transfers) (the “SCCs”), in the form set out in Schedule 7; and (iii) the Client acknowledges and agrees that CSI shall enter into the SCCs with any such appointed Sub-processors. Each party (the “Indemnifying Party”) shall indemnify the other party (the “Indemnified Party”) against:
21.9.1 all claims, liabilities, costs, expenses, damages and losses (including but not limited to all reasonable professional costs and expenses) (“Losses”) suffered or incurred by the Indemnified Party arising out of or in connection with: a Personal Data Breach, any claim by a third party (including but not limited to a Data Subject) or any failure by the Indemnifying Party to comply with its obligations under this Clause 21; and
21.9.2 all penalties, awards, fines which are imposed upon by a Supervisory Authority, except to the extent that such Losses have arisen out of or in connection with any negligence or wilful default of the Indemnified Party or any breach by the Indemnified Party of its obligations under this Clause 21 (Data Protection).
Appears in 1 contract
Samples: Framework Agreement
Data Protection. 22.1 With respect to 1.1 The Parties acknowledge that for the Parties' rights and obligations under this Framework Agreementpurposes of the Data Protection Legislation, the Parties agree that the Authority “Customer” is the Data Controller and that Evolution Internet Ltd, the Supplier “Provider” is the Data Processor. The only processing that the Provider is authorised by the Customer to do is listed in Annex 1 and will not be determined by the Provider.
22.2 1.2 The Supplier shallProvider will notify the Customer immediately if it considers that any of the Customer's instructions infringe the Data Protection Legislation.
1.3 The Provider will provide all a reasonable assistance to the Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Customer, include:
22.2.1 Process (a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
1.4 The Provider will, in relation to any Personal Data processed in connection with
(a) process all Personal Data only in accordance with instructions from Annex 1, unless the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as Provider is required to do otherwise notified by Law. If it is so required the Authority to Provider will promptly notify the Supplier during the Term);
22.2.2 Process Customer before processing the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required unless prohibited by Law or any Regulatory BodyLaw;
22.2.3 implement appropriate technical and organisational measures (b) ensure that it has in place Protective Measures to protect the Personal against a Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and Loss Event having regard to the taken account of the:
(i) nature of the Personal Data which is data to be protected;
22.2.4 take (ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(c) ensure that:
(i) the Provider Personnel do not process Personal Data except in accordance with this Agreement (Annex 1);
(ii) it takes all reasonable steps to ensure the reliability and integrity of any Supplier’s Staff Provider Personnel who have access to the Personal DataData and ensure that they:
(A) are aware of and comply with the Providers duties under this clause;
22.2.5 obtain prior Approval from (B) are subject to appropriate confidentiality undertakings with the Authority in order to transfer the Personal Data to Provider or any Sub-Contractors or Affiliates for the provision of the Servicesprocessor;
22.2.6 ensure that all Supplier Staff required to access the Personal Data (C) are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff do not publish, disclose or divulge any of the Personal Data to any third party Party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint Customer or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required as otherwise permitted by the Authoritythis Agreement; and
(D) have undergone adequate training.
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description not transfer Personal Data outside of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without EU unless the prior written consent of the Authority or Contracting Body concerned and, where Customer has been obtained and the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply withfollowing conditions are fulfilled:
(i) the Customer or the Provider has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Customer;
(ii) the Data Subject has enforceable rights and effective legal remedies;
(iii) the Provider complies with its obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 Legislation by providing an adequate level of protection to any Personal Data that is transferredtransferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); and
(iiiv) the Provider complies with any reasonable instructions notified to it in advance by the Authority Customer with respect to the processing of the Personal Data;
(e) at the written direction of the Customer, delete or Contracting Body concernedreturn Personal Data (and any copies of it) to the Customer on termination of the Agreement unless the Provider is required by Law to retain the Personal Data.
22.2.11 The Supplier shall comply at all times with 1.5 Subject to clause 1.6, the Provider will notify the Customer immediately if it:
(a) receives a Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such Subject Access Request (or purported Data Subject Access Request);
(b) receives a way as request to cause the Authority rectify, block or erase any Personal Data;
(c) receives any other request, complaint or communication relating to breach any of its applicable either Party's obligations under the Data Protection Legislation;
(d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement;
(e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
(f) becomes aware of a Data Loss Event.
1.6 The Providers obligation to notify under clause 1.5 will include the provision of further information to the Customer in phases, as details become available.
1.7 Taking into account the nature of the processing, the Provider will provide the Customer with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 1.5 (and insofar as possible within the timescales reasonably required by the Customer) including by promptly providing:
(a) the Customer with full details and copies of the complaint, communication or request;
(b) such assistance as is reasonably requested by the Customer to enable the Customer to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
(c) the Customer, at its request, with any Personal Data it holds in relation to a Data Subject;
(d) assistance as requested by the Customer following any Data Loss Event;
(e) assistance as requested by the Customer with respect to any request from the Information Commissioners Office or any consultation by the Customer with the Information Commissioner's Office.
1.8 The Provider will maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Provider employs fewer than 250 staff, unless:
(a) the Customer determines that the processing is not occasional;
(b) the Customer determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and
(c) the Customer determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
1.9 The Provider will allow for audits of its Data Processing activity by the Customer or the Customer’s designated auditor.
1.10 The Provider has a designated data protection officer if the Customer requires details of this individual they should contact the Provider.
1.11 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Provider will:
(a) notify the Customer in writing of the intended Sub-processor and processing;
(b) obtain the written consent of the Customer;
(c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this Schedule such that they apply to the Sub-processor; and
(d) provide the Customer with such information regarding the Sub-processor as the Customer may reasonably require.
1.12 The Provider shall remain fully liable for all acts or omissions of any Sub- processor.
1.13 The Provider may, at any time on not less than 30 Working Days’ notice, revise this addendum by replacing it with any applicable clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement).
1.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Provider may on not less than 30 Working Days’ notice to the Customer amend this agreement to ensure that it complies with any Guidance issued by the Information Commissioner’s Office.
1.15 The Provider’s Terms of Service (Annex 2) state the roles and responsibilities of both the Provider and the Customer when using the system.
Appears in 1 contract
Samples: Data Processing Agreement
Data Protection. 22.1 With respect to 19.1 Each party agrees that, in the Parties' rights and performance of their respective obligations under this Framework Agreement, it shall comply with the Parties agree that provisions of the Authority is Privacy Legislation to the Data Controller and that the Supplier is the Data Processorextent it applies to each of them.
22.2 The Supplier 19.2 In so far as a party (“processing party”) processes any Personal Data (including name, postal address, email address, mobile/telephone details, and other contact or personal details) relating to individuals which is acquired or collected by the processing party on behalf of the other party (“controlling party”) in connection with this Agreement, subject to sub-Clause 19.5, a the processing party shall:
22.2.1 Process 19.2.1 process the Personal Data on behalf of the controlling party (or, if so directed by the controlling party, an Affiliate or Affiliates of the controlling party), only for the purposes of performing this Agreement and only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out contained in this Framework Agreement or as otherwise notified provided to the processing party in writing by the Authority controlling party from time to the Supplier during the Term)time;
22.2.2 Process 19.2.2 not otherwise modify, amend or alter the contents of the Personal Data only to or disclose or permit the extent, and in such manner, as it necessary for the provision disclosure of any of the Services or as is required Personal Data to any third party unless specifically authorised in writing by Law or any Regulatory Bodythe controlling party;
22.2.3 19.2.3 at all times comply with the provisions of the Privacy Legislation and all other Applicable Laws and implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps 19.2.4 ensure that only those personnel (including Belltree Personnel where the processing party is Xxxxxxxx) who need to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order Data are granted access to transfer the Personal Data to any Sub-Contractors or Affiliates such data and only for the provision purposes of the Services;
22.2.6 performance of this Agreement and ensure that all Supplier Staff of said personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)19;
22.2.7 ensure that none 19.2.5 obtain prior written consent from the controlling party before transferring Personal Data to any sub-contractor (including any Sub-contractor) and, if such consent is given, include in all contracts with such sub- contractors provisions in favour of Supplierthe controlling party which are equivalent to those in this Clause 19 and enforce these obligations at the controlling party’s Staff request;
19.2.6 not publish, disclose or divulge any of the Personal Data to any third party (including the Data Subject) unless directed in writing to do so in writing by the Authoritycontrolling party;
22.2.8 19.3 The processing party shall notify the Authority controlling party within five (5) Working Business Days if it receivesit:
19.3.1 becomes aware of any breach of this Clause 19 by it or its sub- contractors (a) including any Belltree personnel);
19.3.2 receives a request from a Data Subject to have access to that person's Personal Data; or;
(b) 19.3.3 receives a complaint or request relating directly or indirectly to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details processing of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authorityconnection with this Agreement; and
(d) providing 19.3.4 receives any other communication relating directly or indirectly to the Authority processing of any Personal Data in connection with any information requested by the Authority;this Agreement.
22.2.10 19.4 The Supplier processing party shall:
(a) 19.4.1 permit the Authority controlling party or the Authority’s Representative its external advisers (subject to the reasonable and appropriate confidentiality undertakings), ) to inspect and audit, audit the Supplier's processing party’s data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority controlling party to enable the Authority controlling party to verify and/or and procure that the Supplier processing is in full compliance with its obligations under this Framework Agreement;
(b) 19.4.2 at no additional cost, provide a written description of such information to the technical controlling party as the controlling party may reasonably require, and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required reasonably specified by the Authority)controlling party, to allow the controlling party to comply with the rights of Data Subjects, including Data Subject- access rights, or with notices served by the Information Commissioner or any other law enforcement authority; and
(c) 19.4.3 not cause or permit to be Processed and/or otherwise transferred transfer Personal Data outside the UK and European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned controlling party, such consent to be outlined in the relevant Work Statement and, where the Authority or Other Contracting Body concerned controlling party consents to Processing and/or transfer outside the European Economic Areasuch transfer, to comply with:
(i) 19.4.4 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 Privacy Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) 19.4.5 any reasonable instructions notified to it by the Authority or Contracting Body concernedcontrolling party.
22.2.11 The Supplier shall comply at all times 19.5 Where the Client is located within a Third Country or is a Non-compliant US Entity and is processing any European Union and/or UK Personal Data (including name, postal address, email address, mobile/telephone details, and other contact or personal details as detailed in the DPA) relating to individuals which is acquired or collected by Belltree in connection with the Agreement, the parties hereby agree to comply with the terms of the DPA with respect to the transfer and processing of any Personal Data. If there is any conflict between the terms of this Agreement and the terms of the DPA, the terms of the DPA shall have precedence.
19.6 All Personal Data Protection Legislation and relating to individuals which is acquired or collected by Xxxxxxxx on behalf of the Client in connection with this Agreement shall not perform its obligations under belong exclusively to the Client which hereby grants to Belltree and, to the extent necessary, to Belltree Personnel, or shall use commercially reasonable endeavours to procure the grant of, a royalty-free, non-exclusive licence (or, where relevant, an appropriate sub-licence) to use the same solely in relation to the performance of the Services as contemplated in this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection LegislationAgreement.
Appears in 1 contract
Samples: Services Agreement
Data Protection. 22.1 With respect 15.1 The SERVICE PROVIDER’s attention is hereby drawn to the Parties' rights Data Protection Requirements. The CUSTOMER and the SERVICE PROVIDER shall observe their obligations under the Data Protection Requirements.
15.2 Where the SERVICE PROVIDER, pursuant to its obligations under this Framework AgreementContract, undertakes the Parties agree that Processing of Personal Data on behalf of the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier CUSTOMER, it shall:
22.2.1 Process 15.2.1 carry out the Processing of Personal Data only in accordance with instructions from the Authority CUSTOMER (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement Contract or as otherwise notified by the Authority CUSTOMER to the Supplier SERVICE PROVIDER during the Term);
22.2.2 Process 15.2.2 carry out the Processing of Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Ordered Services or as is required by Law or any Regulatory Body;
22.2.3 15.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 15.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff SERVICE PROVIDER personnel who have access to the Personal Data;
22.2.5 15.2.5 obtain prior Approval written consent from the Authority CUSTOMER in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Ordered Services;
22.2.6 15.2.6 ensure that all Supplier Staff any SERVICE PROVIDER personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)15;
22.2.7 15.2.7 ensure that none of Supplier’s Staff the SERVICE PROVIDER personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCUSTOMER;
22.2.8 15.2.8 notify the Authority CUSTOMER (within five (5) Working Days Days) if it receives:
(a) 15.2.8.1 a request from a Data Subject to have access to that person's ’s Personal Data; or
(b) 15.2.8.2 a complaint or request relating to the Authority's CUSTOMER’s obligations under the Data Protection LegislationRequirements;
22.2.9 15.2.9 provide the Authority CUSTOMER with full cooperation and assistance in relation to any complaint or request made, including by:
(a) 15.2.9.1 providing the Authority CUSTOMER with full details of the complaint or request;
(b) 15.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation Requirements and in accordance with the Authority's CUSTOMER’s instructions;
(c) 15.2.9.3 providing the Authority CUSTOMER with any Personal Data it holds in relation to a Data Subject (within the timescales required by the AuthorityCUSTOMER); and
(d) 15.2.9.4 providing the Authority CUSTOMER with any information requested by the AuthorityCUSTOMER;
22.2.10 The Supplier shall:
(a) 15.2.10 permit the Authority CUSTOMER or the Authority’s Representative its representatives (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, audit the Supplier's SERVICE PROVIDER’s data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority CUSTOMER to enable the Authority CUSTOMER to verify and/or procure that the Supplier SERVICE PROVIDER is in full compliance with its obligations under this Framework AgreementContract. In this respect, the SERVICE PROVIDER shall be responsible for maintaining the confidentiality of information relating to its other clients;
(b) 15.2.11 provide a written description of the technical and organisational methods employed by the Supplier SERVICE PROVIDER for Processing Personal Data (within the timescales required by the AuthorityCUSTOMER); and
(c) 15.2.12 not cause or permit to be Processed and/or otherwise transferred undertake the Processing of Personal Data outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned CUSTOMER and, where the Authority or Other Contracting Body concerned CUSTOMER consents to Processing and/or transfer outside the European Economic Areaa transfer, to comply with:
(i) 15.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) 15.2.12.2 any reasonable instructions notified to it by the Authority or Contracting Body concernedCUSTOMER.
22.2.11 15.3 The Supplier SERVICE PROVIDER shall comply at all times with the Data Protection Legislation Requirements and shall not perform its obligations under this Framework Agreement Contract in such a way as to cause the Authority CUSTOMER to breach any of its applicable obligations under the Data Protection LegislationRequirements.
15.4 The CUSTOMER may from time to time serve on the SERVICE PROVIDER an information notice requiring the SERVICE PROVIDER within such time and in such form as is specified in the information notice, to furnish to the CUSTOMER such information as the CUSTOMER may reasonably require relating to:
15.4.1 compliance by the SERVICE PROVIDER with the SERVICE PROVIDER’s obligations under this Contract in connection with the Processing of Personal Data; and/or
15.4.2 the rights of Data Subjects, including but not limited to subject access rights.
15.5 The SERVICE PROVIDER will allow its data Processing facilities, procedures and documentation to be submitted for scrutiny by the CUSTOMER or its auditors in order to ascertain compliance with the relevant laws of the United Kingdom and the terms of this Contract. In this respect, the SERVICE PROVIDER shall be responsible for maintaining the confidentiality of information relating to its other clients.
15.6 With respect to the parties’ rights and obligations under this Contract, the parties acknowledge that, except where otherwise agreed, the CUSTOMER is the Data Controller and the SERVICE PROVIDER is the Data Processor. Where the SERVICE PROVIDER wishes to appoint, in accordance with the provisions of Clause 32, a Sub-Contractor to assist it in providing the Ordered Services and such assistance includes the Processing of Personal Data on behalf of the CUSTOMER, then, subject always to compliance by the SERVICE PROVIDER with the provisions of Clause 32 relating to the appointment of Sub-Contractors, the CUSTOMER hereby grants to the SERVICE PROVIDER a delegated authority to appoint on the CUSTOMER’S behalf such Sub-Contractor to undertake the Processing of Personal Data provided that the SERVICE PROVIDER shall notify the CUSTOMER in writing of such appointment and the identity and location of such Sub-Contractor. The SERVICE PROVIDER warrants that such appointment shall be on substantially the same terms with respect to Data Protection Requirements as are set out in this Contract, including the terms set out in Clause 15.2. Any Sub-Contractor appointed under the provisions of this Clause 15.6 shall, for the purposes of Schedule 2-8, be regarded as a principal Sub-Contractor and shall be specified in Table 1 of Schedule 2-8.
15.7 Save as set out in this Clause 15, any unauthorised Processing, use or disclosure of Personal Data by the SERVICE PROVIDER is strictly prohibited.
15.8 The SERVICE PROVIDER shall be liable for and shall indemnify (and keep indemnified) the CUSTOMER against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and disbursements on a solicitor and client basis) and demands incurred by the CUSTOMER which arise directly or in connection with the SERVICE PROVIDER’s data Processing activities under this Contract, including without limitation those arising out of any third party demand, claim or action, or any breach of contract, negligence, fraud, wilful misconduct, breach of statutory duty or non-compliance with any part of the Data Protection Requirements by the SERVICE PROVIDER or its employees, servants, agents or Sub-Contractors.
15.9 If the SERVICE PROVIDER is responsible for storing any CUSTOMER data as part of the Ordered Services then:
14.9.1 it shall perform secure back-ups of all such data and shall ensure that up-to- date back-ups of such data are stored off-site in accordance with a business continuity and disaster recovery plan and ensure that such back-ups are available to the CUSTOMER at all times upon request;
14.9.2 it shall not delete or remove any proprietary notices contained within or relating to such data;
14.9.3 it shall not store, copy, disclose, or use the CUSTOMER’S data except as necessary for the performance of its obligations under this Contract;
14.9.4 it shall ensure that any system on which it holds any CUSTOMER data, including back-up data, is a secure system that complies with the CUSTOMER’s security policies; and
14.9.5 if at any time the SERVICE PROVIDER suspects or has reason to believe that such CUSTOMER data has or may become corrupted, lost or sufficiently degraded in any way for any reason, then it shall notify the CUSTOMER immediately and inform the CUSTOMER of the remedial action it proposes to take.
Appears in 1 contract
Samples: Telecommunications
Data Protection. 22.1 With respect 11.1 The Supplier/Contractor warrants and represents to the Parties' rights and obligations under this Framework AgreementPurchaser that it shall comply with the Data Protection Laws.
11.2 Without prejudice to Condition 12.1, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier Supplier/Contractor shall:
22.2.1 Process the 11.2.1 process Personal Data only as necessary in accordance with obligations under the Contract and any written instructions from given by the Authority Purchaser (which may be specific instructions or instructions of a general nature as set out nature), including with regard to transfers of Personal Data outside the European Economic Area unless required to do so by European Union or Member state law or regulatory body to which the Supplier/Contractor is subject; in this Framework Agreement or as otherwise notified which case the Supplier/Contractor must, unless prohibited by that law, inform the Authority to the Supplier during the Term);
22.2.2 Process Purchaser of that legal requirement before processing the Personal Data only to the extent, and in such manner, manner as it is necessary for the provision performance of the Services Supplier/Contractor's obligations under this Contract or as is required by Law or any Regulatory Bodylaw;
22.2.3 11.2.2 subject to Condition 12.2.1 only process or otherwise transfer any Personal Data in or to any country outside the European Economic Area with the Purchaser prior written consent;
11.2.3 take all reasonable steps to ensure the reliability and integrity of any of its personnel who have access to the Personal Data and ensure that such personnel are: aware of and comply with the terms of this Condition 12; subject to appropriate confidentiality undertakings; informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Purchaser or as otherwise permitted by this Contract;
11.2.4 implement appropriate technical and organisational measures in accordance with Article 32 of the GDPR to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These , such measures shall be being appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access 11.2.5 provide to the Personal DataPurchaser reasonable assistance including by such technical and organisational measures as may be appropriate in complying with Articles 12-23 of the GDPR;
22.2.5 obtain prior Approval from 11.2.6 If the Authority in order to transfer the Personal Data to any SubSupplier/Contractor engages a sub-Contractors or Affiliates contractor for the provision carrying out Processing activities on behalf of the Services;
22.2.6 Purchaser, the Supplier/Contractor must ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the same data protection obligations as set out in this Clause 22 (Data Protection);
22.2.7 ensure that none Contract are imposed on the sub-contractor by way of a written and legally binding contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. The Supplier’s Staff publish, disclose or divulge any /Contractor shall remain fully liable to the Purchaser for the performance of the Personal Data to any third party unless directed in writing sub-contractor's performance of the obligations; and
11.2.7 ensure it does not knowingly or negligently do or omit to do so by anything which places the Authority;
22.2.8 notify Purchaser in breach of the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's Purchaser obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedLaws.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Samples: Purchase Order Terms and Conditions
Data Protection. 22.1 With respect to 19.1 Where any Personal Data are Processed in connection with the exercise of the Parties' ’ rights and obligations under this Framework Agreement, the Parties agree acknowledge that for the Authority purposes of the Data Protection Legislation, the Council is the Data Controller and that the Supplier Landlord is the Data Processor. The only Processing that the Landlord is authorised to do is what has been instructed by the Council and may not be determined by the Landlord.
22.2 19.2 The Supplier Data Processor shall notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
19.3 The Landlord shall provide reasonable assistance to the Council in the preparation of any Data Protection Impact Assessment.
19.4 The Landlord shall:
22.2.1 19.4.1 Process the Personal Data only in accordance with instructions from the Authority Council to perform its obligations under this Agreement;
19.4.2 ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data (which may be specific instructions or instructions and provide the Council with details of a general nature as set out in this Framework Agreement or as otherwise notified such measures, if so requested by the Authority to the Supplier during the TermCouncil on reasonable notice in writing);
22.2.2 Process 19.4.3 not disclose or transfer the Personal Data only to the extent, and in such manner, as it any third party or Landlord Staff unless necessary for the provision of the Services and, for any disclosure or as transfer of Personal Data to any third party, obtain the prior written approval (save where such disclosure or transfer is required by Law or any Regulatory Bodyspecifically authorised under this Agreement);
22.2.3 19.4.4 in accordance with Article 32 of the GDPR, implement appropriate technical and organisational security measures to protect the Personal Data against unauthorised accidental or unlawful Processing and against accidental destruction, loss, destructionalteration, damageunauthorised disclosure of, alteration or disclosure. These measures shall be access to Personal Data transmitted, stored or otherwise processed;
19.4.5 ensure a level of security appropriate to the risk is applied taking into account the harm which might result from any unauthorised accidental or unlawful Processingdestruction, accidental loss, destruction alteration, unauthorised disclosure of, or damage access to the Personal Data and having regard to the nature of the Personal Data which is to transmitted, stored or otherwise processed. The security measures shall include, but shall not be protectedlimited to;
22.2.4 take all reasonable steps to ensure a) the reliability pseudonymisation and encryption of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from b) the Authority in order ability to transfer ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
c) the ability to restore the availability and access to the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out timely manner in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations event of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority physical or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.technical incident;
Appears in 1 contract
Samples: Accreditation of Landlords and Supply of Emergency Temporary Accommodation Agreement
Data Protection. 22.1 15.1 With respect to the Parties' parties’ rights and obligations under this Framework AgreementContract, the Parties agree that parties acknowledge that, except where otherwise agreed, the Authority Customer is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall15.2 Where the Supplier, pursuant to its obligations under this Contract, undertakes the Processing of Personal Data on behalf of the Customer, it shall comply with the Data Protection Legislation and more particularly:
22.2.1 15.2.1 Process the Personal Data only in accordance with instructions from the Authority Customer (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement Contract or as otherwise notified by the Authority Customer to the Supplier during the TermContractor);
22.2.2 15.2.2 safeguard Personal Data which will include only transferring Personal Data if essential and encrypting Personal Data where required in accordance with any international data encryption standards and the standards applicable to the Customer;
15.2.3 Process the Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Services or as is required by Law or any Regulatory BodyAuthority;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 15.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff Supplier Personnel who have access to the Personal Data;
22.2.5 15.2.5 obtain prior Approval written consent from the Authority Customer in order to transfer the Personal Data to any Sub-Contractors or Affiliates third parties for the provision of the Services;
22.2.6 15.2.6 ensure that all Supplier Staff Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)15;
22.2.7 15.2.7 ensure that none of Supplier’s Staff Supplier Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCustomer;
22.2.8 15.2.8 ensure that Customer Personal Data is kept separate from Supplier Personal Data and from any Personal Data belonging to another customer of Supplier;
15.2.9 notify the Authority Customer within five (5) Working Days seven days if it receives:
: (a) a request from a Data Subject to have access to that person's Personal Data; or
or (b) a complaint or request relating to the AuthorityCustomer's obligations under the Data Protection Legislation;
22.2.9 15.2.10 provide the Authority Customer with full cooperation and assistance in relation to any complaint or request made, including by:
: (a) providing the Authority Customer with full details of the complaint or request;
; (b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the AuthorityCustomer's instructions;
; (c) providing the Authority Customer with any Personal Data it holds in relation to a Data Subject (within the timescales required by the AuthorityCustomer); and
and (d) providing the Authority Customer with any information requested by the AuthorityCustomer;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing 15.2.11 not Process Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned Customer and, where the Authority or Other Contracting Body concerned Customer consents to Processing and/or transfer outside the European Economic Areaa transfer, to comply with:
: (ia) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferredtransferred (for example, by ensuring that any third party based in the USA and processing Personal Data holds and maintains Safe Harbor certification as long as it processes such Personal Data); and
and (iib) any reasonable instructions notified to it by the Authority or Contracting Body concernedCustomer.
22.2.11 The 15.3 Where any Personal Data is Processed by any sub-contractor of the Supplier, the Supplier shall procure that such sub-contractor shall comply at all times with the Data Protection Legislation and shall not perform its relevant obligations under set out in this Framework Agreement in Clause 15 as if such a way as to cause sub-contractor were the Authority to breach any of its applicable obligations under the Data Protection LegislationSupplier.
Appears in 1 contract
Samples: Public Health Substance Misuse Treatment Service Agreement
Data Protection. 22.1 With respect to 16.1 Each party agrees that, in the Parties' rights and performance of its respective obligations under this Framework Agreement:
16.1.1 it shall comply, and procure that its Affiliates, Representatives and/or sub- processors (as applicable) of it or any of its Affiliates shall comply, with all applicable Data Protection Laws; and
16.1.2 it shall not by any act or omission cause the Parties other party (or any other person) to be in breach of any requirements of the Data Protection Laws.
16.2 The parties agree that the Authority Client is the Data Controller and data controller in respect of any personal data that the Supplier is Contractor processes in the Data Processorcourse of its appointment as the preferred supplier to deliver the Services pursuant to this Agreement (other than business contact data processed by the Contractor to allow it to comply with the Agreement and deliver the Services).
22.2 The Supplier 16.3 Accordingly, the Contractor agrees that it shall:
22.2.1 Process 16.3.1 only carry out processing of personal data in respect of which the Personal Data only Client is the data controller on the Client’s instructions from time to time (however if any applicable law, order or regulation requires the Contractor to process personal data other than in accordance with the Client’s instructions from the Authority (which may be specific instructions Contractor shall notify the Client of any such requirement before processing such personal data, unless the applicable law, order or instructions regulation prohibits such notification on important grounds of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Termpublic interest);
22.2.2 Process the Personal Data only to the extent, 16.3.2 implement and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement maintain appropriate technical and organisational measures to protect the Personal Data personal data against (without limitation) unauthorised or unlawful Processing processing and against accidental destruction or loss, destructionso as to protect applicable data subjects’ rights in accordance with, damageand enable the Client to comply with its obligations under, alteration applicable Data Protection Laws;
16.3.3 where personal data is lost, damaged, destroyed or disclosure. These measures subject to unauthorised access, immediately notify the Client in writing and take all steps required by Data Protection Laws with respect to notification and remediation;
16.3.4 include in any contract with any subcontractors who shall be appropriate process such personal data directly or indirectly on the Client’s behalf provisions which are at least equivalent to those in this clause 16.3, and the Client hereby consents to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage Contractor’s use of such subcontractors in accordance with this clause 16.3;
16.3.5 as soon as reasonably practicable refer to the Personal Data Client any requests, notices or other communication from data subjects, the Information Commissioner or any other law enforcement authority, for the Client to resolve; and
16.3.6 promptly make available (and having regard shall procure that its Affiliates, Representatives and/or sub-processors (as applicable) of it or any of its Affiliates shall make available) to the nature of the Personal Data which Client such information as is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff reasonably required to access demonstrate the Personal Data are informed of the confidential nature of the Personal Data and comply parties’ compliance with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's their respective obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation Laws and assistance in relation / or this clause 16.3, and allow for, permit and contribute to any complaint or request madeaudits, including by:inspections, by the Client (or another auditor mandated by the Client) for this purpose at the Client’s request from time to time.
(a) providing 16.4 The Contractor acknowledges and agrees that it shall remain fully liable to the Authority with full details Client under this Agreement for all the acts and omissions of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and each subcontractor appointed by it in accordance with clause 16.3.4 as if they were the Authority's instructions;Contractor’s own actions.
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 16.5 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable Client acknowledges and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure agrees that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of Contractor may be required to transfer personal data which it processes on the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit Client’s behalf to be Processed and/or otherwise transferred countries outside the European Economic Area (which shall be deemed to include the United Kingdom regardless of any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent formal separation of the Authority United Kingdom from the rest of the European Union) or Contracting Body concerned andto an International Organisation. Subject to the Contractor ensuring that any such transfer will be undertaken in accordance with the applicable Data Protection Laws, where the Authority or Other Contracting Body concerned Client hereby consents to Processing and/or transfer the Contractor transferring such personal data outside the European Economic Area, Area and/or to comply with:
an International Organisation (i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedas applicable).
22.2.11 16.6 The Supplier Contractor shall comply at all times with notify the Data Protection Legislation and shall not perform its obligations under this Framework Agreement Client immediately in such a way as writing if it becomes aware or has reason to cause the Authority to breach believe that it, or any of its applicable officers, employees, agents or subcontractors have breached or potentially breached any of the Contractor’s obligations under the applicable Data Protection LegislationLaws. Such notice shall set out full details of the circumstances concerning such breach or potential breach.
16.7 For the avoidance of doubt, nothing in this Agreement relieves either Party of any responsibilities or liabilities under Data Protection Laws.
Appears in 1 contract
Samples: Preferred Supplier Agreement
Data Protection. 22.1 With respect 14.1 You shall own all right, title and interest in and to all of the Parties' rights Customer Data and are exclusively responsible for the legality, reliability, integrity, accuracy and quality of the Customer Data.
14.2 The Parties acknowledge that, for the purposes of Data Protection Laws, you are the Controller and we are the Processor of any Personal Data. The scope, nature and purpose of Processing is as set out in Order.
14.3 Each Party confirms that it holds, and during the term of this Agreement will maintain, all registrations and notifications required in terms of the Data Protection Laws which are appropriate to its performance of the obligations under this Framework Agreement.
14.4 Each Party confirms that, in the performance of this Agreement, the Parties agree that the Authority is the it will comply with Data Controller and that the Supplier is the Data ProcessorProtection Laws.
22.2 The Supplier 14.5 We shall:
22.2.1 14.5.1 Process Personal Data only on documented instructions from you, unless required to do so by Data Protection Laws or any other applicable law to which we are subject; in such a case, we shall inform you of that legal requirement before Processing, unless that law prohibits us to so inform you;
14.5.2 ensure that persons authorised to Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions have committed themselves to confidentiality or instructions are under an appropriate statutory obligation of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term)confidentiality;
22.2.2 Process 14.5.3 take all measures required pursuant to Article 32 of the GDPR in respect of security of Processing;
14.5.4 not commission any subcontractor in respect of Processing Personal Data only without your prior written consent (such consent not to the extentbe unreasonably withheld or delayed), and in ensure that any such manner, subcontractor we commission complies with the provisions of this Clause 14 as if it necessary for was a Party;
14.5.5 taking into account the provision nature of the Services or as is required Processing, assist you by Law or any Regulatory Body;
22.2.3 implement putting in place appropriate technical and organisational measures measures, insofar as this is possible, for the fulfilment of your obligation to protect respond to requests for exercising the Personal Data against unauthorised or unlawful Processing and against accidental lossSubject's rights laid down in Data Protection Laws, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage extent that such requests relate to this Agreement and our obligations under it;
14.5.6 assist you in ensuring compliance with your obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of Processing the Personal Data and having regard the information available to us;
14.5.7 at your option, delete (to the nature of extent practicable) or return all the Personal Data which is to be protected;
22.2.4 take all reasonable steps you after termination of this Agreement or otherwise on your request, and delete existing copies (to ensure the reliability extent practicable) unless applicable law requires our ongoing storage of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain 14.5.8 make available to you all information necessary to demonstrate our compliance with this Clause 14.5, and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you; and
14.5.9 inform you immediately if, in our opinion, an instruction from you infringes (or, if acted upon, might cause the infringement of) Data Protection Laws. Subject to Clause 15.2, we shall not have any Liability in respect of any instruction from you that breaches (or causes a breach of) Data Protection Laws to the extent that we could not reasonably have been aware, or could not reasonably be expected to have been aware, that such instruction would breach (or cause a breach of) Data Protection Laws.
14.6 Each Party will notify the other Party as soon as is reasonably practicable if it becomes aware of a Personal Data Breach relating to either Party’s obligations under this Agreement.
14.7 You shall undertake appropriate data protection impact assessments to ensure that Processing of Personal Data complies with Data Protection Laws. We will provide you with reasonable assistance, where necessary and upon your request, in carrying out any data protection impact assessment and undertaking any necessary prior Approval from consultation of the Authority Supervisory Authority.
14.8 It is your responsibility to ensure that Personal Data is dealt with in a way that is compliant with Article 5(1) of the GDPR.
14.9 You shall ensure that:
14.9.1 you are able to justify the Processing of Personal Data in accordance with Article 6(1) of the GDPR (including, where applicable, obtaining any and all consents of Data Subjects required in order to transfer commence the Personal Data to any Sub-Contractors Processing), and that you have recorded or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in documented this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructionsrecord keeping requirements of the GDPR;
(c) providing the Authority with any 14.9.2 where Personal Data it holds in relation to a Data Subject (falls within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings)Special Categories of Personal Data, to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.Article 9
Appears in 1 contract
Samples: Customer Terms and Conditions
Data Protection. 22.1 With respect to the Parties' rights 23.1 The Authority recognises, understands, and obligations under this Framework Agreementagrees that Contractor is not subject to, the Parties agree that the Authority is the a nd therefore does not comply with United Kingdom Data Controller and that the Supplier is the Data ProcessorProtection Legislation.
22.2 23.2 The Supplier Contractor shall:
22.2.1 23.2.1 Process the Personal Data only in accordance with instructions from the Authority or as reasonably necessary to perform the Services (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement Contract or as otherwise notified by the Authority to the Supplier Contractor during the Term);
22.2.2 23.2.2 Process the Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Services or as is required by Law applicable law or any Regulatory Bodyregulation;
22.2.3 implement appropriate 23.2.3 Implement commercially reasonable technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 23.2.4 obtain prior Approval written consent from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates (except for Xxxxxx North America Inc., to whom Personal Data may be transferred for, among other purposes, IT support functions) for the provision of the Services;, unless necessary to meet its obligations under this Contract and, where such Personal Data is transferred the Contractor shall:
22.2.6 ensure i. provide only the minimum Personal Data necessary; and
ii. Require the Sub Contractor to provide an adequate level of protection to any Personal Data that is transferred.
23.2.5 Ensure that all Supplier Contractors‟ Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)Condition;
22.2.7 23.2.6 ensure that none of Supplier’s Staff Contractor‟s personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityA uthority or as necessary to perform the Servic es;
22.2.8 23.2.7 notify the Authority reasonably promptly (and within five (5ten Working Days) Working Days if it receives:
(a) i. a request from a Data Subject to have access to that person's Personal Data; or
(b) a ii. A complaint or request relating to the Authority's Authority‟s obligations under the any Data Protection Legislation;
22.2.9 provide 23.2.8 Provide the Authority with full reasonable cooperation and assistance in relation to any complaint or request made, including by:
(a) i. providing the Authority with full details of the complaint or request;
(b) ii. complying with a data access request within a reasonable timeframe of the relevant timescales set out request, making commercially reasonable efforts to respond in time to allow the Data Protection Legislation and in accordance with the Authority's instructionsAuthority adequate time to respond to any such complaint or request;
(c) providing iii. Providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authoritya reasonable timeframe); and
(d) providing iv. Providing the Authority with any information reasonably requested by the Authority that relates to the Authority;
22.2.10 The Supplier shall:
(a) permit 23.2.9 provide the Authority or the Authority’s Authority‟s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect with appropriate assurances, evidences and audit, explanations of the Supplier's Contractor‟s data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractorsand, to the extent Contractor has the right, any Sub -contractors, who process the Authority‟s Personal Data) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier Contractor is in full compliance with its obligations under this Framework AgreementContract;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Samples: Master Contract
Data Protection. 22.1 With respect The Data Protection Legislation 2018 applies where applicable. For the purposes of these terms, the type of Personal Data being processed, the categories of Data Subjects and the nature and purpose of the Processing is/are those required for the Supplier to perform the services in agreement with the Buyer. The Supplier will agree as part of these terms to the Parties' rights and obligations under this Framework Agreement, confidentiality of any Personal Data that may present itself in the Parties agree that undertaking of the Authority is services with the Data Controller and that the Supplier is the Data Processor.
22.2 Buyer. The Supplier shall:
22.2.1 Process : process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Buyer’s Personal Data only to the extent, and in such manner, as it extent necessary for the provision purpose of providing the Services or as is required by Law or any Regulatory Body;
22.2.3 and in accordance with the Buyer's written instructions implement appropriate technical and organisational measures in accordance with the Data Protection Legislation to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be ensure a level of security appropriate to the harm which might result risks that are presented by such Processing, in particular, from any unauthorised accidental or unlawful Processingdestruction, accidental loss, destruction alteration, unauthorised disclosure of, or damage access to Buyer’s Personal Data, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing and the likelihood and severity of risk in relation to the rights and freedoms of the Data Subjects; ensure that any employees or other persons authorised to Process the Buyer’s Personal Data are subject to appropriate obligations of confidentiality; on request by the Buyer’s and having regard to taking into account the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure Processing and the reliability of any Supplier’s Staff who have access information available to the Personal Data;
22.2.5 obtain prior Approval from Supplier, assist the Authority Buyer in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full ensuring compliance with its obligations under this Framework Agreement;
(b) provide a written description Articles 32 to 36 of the technical and organisational methods employed by GDPR (where applicable) in respect of the Supplier for Processing Buyer’s Personal Data; not transfer the Buyer Personal Data (within the timescales required by the Authority); and
(c) not cause to a Third Country or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body an International Organisation without the prior written consent of IPSA – The Buyer; not engage any third party to carry out its Processing obligations under this Contract without obtaining the Authority or Contracting Body concerned prior written consent of the Buyer and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Areasuch consent is given, to comply with:
(i) the obligations procuring by way of a Data Controller under written contract that such third party will, at all times during the Eighth Data Protection Principle engagement, be subject to data processing obligations equivalent to those set out in this Schedule; notify the Buyer, as soon as reasonably practicable, about any request or complaint received from a Data Subject (without responding to that request, unless authorised to do so by the Buyer and assist the Buyer by technical and organisational measures, insofar as possible, for the fulfilment of the Buyer’s obligations in respect of such requests and complaints; notify the Buyer without undue delay on becoming aware of a Personal Data breach; on request by the Buyer, make available all information necessary to demonstrate the Buyer 's compliance with this Schedule 1 and on reasonable advance notice in writing otherwise permit, and contribute to, audits carried out by the Buyer (or its authorised representative) with respect to the Buyer’s Personal Data; on termination or expiry of this Contract, destroy, delete or return (as the Buyer directs) all Buyer Personal Data and delete all existing copies of such data unless required by law to keep or store such Buyer Personal Data. The Supplier warrants that in carrying out its obligations it will not breach the Data Protection Legislation 2018 or do or omit to do anything that might cause the Buyer to be in breach of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 Legislation 2018. The Supplier shall indemnify and keep indemnified the IPSA against all costs, claims, damages or expenses incurred by the Buyer or for which the Buyer may become liable due to any failure by the Supplier to comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislationclause.
Appears in 1 contract
Samples: Purchase Order Terms and Conditions
Data Protection. 22.1 With respect 19.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Purchaser is the Controller and the Provider is the Processor. The only processing that the Provider is authorised to do is listed in Schedule 4 by the Purchaser and may not be determined by the Provider.
19.2 The Provider shall notify the Purchaser immediately if it considers that any of the Purchaser's instructions infringe the Data Protection Legislation.
19.3 The Provider shall provide all reasonable assistance to the Parties' Purchaser in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Purchaser, include:
(a) A systematic description of the envisaged processing operations and the purpose of the processing;
(b) An assessment of the necessity and proportionality of the processing operations in relation to the Care Service;
(c) An assessment of the risks to the rights and freedoms of data subjects; and
(d) The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
19.4 The Provider shall, in relation to any Personal Data processed in connection with its obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shallContract:
22.2.1 (a) Process the that Personal Data only in accordance with instructions from Schedule 4, unless the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as Provider is required to do otherwise notified by Law. If it is so required the Authority to Provider shall promptly notify the Supplier during the Term);
22.2.2 Process Purchaser before processing the Personal Data only unless prohibited by Law;
(b) ensure that it has in place Protective Measures, which have been reviewed and approved by the Purchaser as appropriate to the extent, and in such manner, as it necessary for the provision protect against a Data Loss Event having taken account of the:
(i) Nature of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is data to be protected;
22.2.4 take (ii) Harm that might result from a Data Loss Event;
(iii) State of technological development; and
(iv) Cost of implementing any measures;
(c) Ensure that:
(i) The Provider personnel do not process Personal Data except in accordance with this Contract (and in particular Schedule 4);
(ii) It takes all reasonable steps to ensure the reliability and integrity of any Supplier’s Staff Provider personnel who have access to the Personal DataData and ensure that they:
(A) Are aware of and comply with the Provider’s duties under this condition;
22.2.5 obtain prior Approval from (B) Are subject to appropriate confidentiality undertakings with the Authority in order to transfer the Personal Data to Provider or any Sub-Contractors or Affiliates for the provision of the Servicesprocessor;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are (C) Are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff do not publish, disclose or divulge any of the Personal Data to any third party Party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:Purchaser or as otherwise permitted by this Contract; and
(aD) a request from a Data Subject to have access to that person's Have undergone adequate training in the use, care, protection and handling of Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description Not transfer Personal Data outside of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without EU unless the prior written consent of the Authority or Contracting Body concerned and, where Purchaser has been obtained and the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply withfollowing conditions are fulfilled:
(i) The Purchaser or the Provider has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Purchaser;
(ii) The Data Subject has enforceable rights and effective legal remedies;
(iii) The Provider complies with its obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 Legislation by providing an adequate level of protection to any Personal Data that is transferredtransferred (or, if it is not so bound, uses its best endeavours to assist the Purchaser in meeting its obligations); and
(iiiv) The Provider complies with any reasonable instructions notified to it in advance by the Authority Purchaser with respect to the processing of the Personal Data;
(e) At the written direction of the Purchaser, delete or Contracting Body concernedreturn Personal Data (and any copies of it) to the Purchaser on termination of this Contract unless the Provider is required by law to retain the Personal Data.
22.2.11 The Supplier 19.5 Subject to condition 19.6, the Provider shall comply at all times with notify the Purchaser immediately if it:
(a) receives a Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such Subject Access Request (or purported Data Subject Access Request);
(b) receives a way as request to cause the Authority rectify, block or erase any Personal Data;
(c) receives any other request, complaint or communication relating to breach any of its applicable either Party's obligations under the Data Protection Legislation;
(d) receives any communication from the Information Commissioner or any other regulatory Authority in connection with Personal Data processed under this Contract;
(e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by law; or
(f) becomes aware of a Data Loss Event.
19.6 The Provider’s obligation to notify under condition 19.5 shall include the provision of further information to the Purchaser in phases, as details become available.
19.7 Taking into account the nature of the processing, the Provider shall provide the Purchaser with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under condition 19.5 (and insofar as possible within the timescales reasonably required by the Purchaser) including by promptly providing:
(a) The Purchaser with full details and copies of the complaint, communication or request;
(b) Such assistance as is reasonably requested by the Purchaser to enable the Purchaser to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
(c) The Purchaser, at its request, with any Personal Data it holds in relation to a Data Subject;
(d) Assistance as requested by the Purchaser following any Data Loss Event;
(e) Assistance as requested by the Purchaser with respect to any request from the Information Commissioner’s Office, or any consultation by the Purchaser with the Information Commissioner's Office.
19.8 The Provider shall maintain complete and accurate records and information to demonstrate its compliance with this condition. This requirement does not apply where the Provider employs fewer than 250 staff, unless:
(a) The Purchaser determines that the processing is not occasional;
(b) The Purchaser determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and
(c) The Purchaser determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
19.9 The Provider shall allow for audits of its Data Processing activity by the Purchaser or the Purchaser’s designated auditor.
19.10 The Provider shall designate a data protection officer if required by the Data Protection Legislation.
19.11 Before allowing any Sub-processor to process any Personal Data related to this Contract, the Provider must:
(a) Notify the Purchaser in writing of the intended Sub-processor and processing;
(b) Obtain the written consent of the Purchaser;
(c) Enter into a written agreement with the Sub-processor which give effect to the terms set out in this condition 19 such that they apply to the Sub-processor; and
(d) Provide the Purchaser with such information regarding the Sub-processor as the Purchaser may reasonably require.
19.12 The Provider shall remain fully liable for all acts or omissions of any Sub-processor.
19.13 The Purchaser may, at any time on not less than 30 Working Days’ notice, revise this condition by replacing it with any applicable controller to processor standard conditions or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Contract).
19.14 The parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Purchaser may on not less than 30 Working Days’ notice to the Provider amend this Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
Appears in 1 contract
Data Protection. 22.1 With respect to 14.1 For the Parties' rights and obligations under purposes of this Framework AgreementClause 14, the Parties agree terms controller, processor, data subject, personal data, personal data breach and processing shall have the meaning given to them in the Data Protection Legislation.
14.2 Both parties will comply with all applicable requirements of the Data Protection Legislation. This Clause 14 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under Data Protection Legislation.
14.3 The parties acknowledge that for the Authority purposes of the Data Protection Legislation, the Customer is the Data Controller data controller and that the Supplier is the Data Processordata processor.
22.2 The Supplier shall:
22.2.1 Process 14.4 Without prejudice to Clause 14.2, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data only (as defined in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority Data Protection Legislation) to the Supplier during for the Term);duration and purposes of the agreement.
22.2.2 Process 14.5 Without prejudice to Clause 14.2, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under the agreement:
14.5.1 process that Personal Data only to on the extent, and in such manner, as it necessary for the provision written instructions of the Services or as Customer unless the Supplier is required by Domestic Law or any Regulatory Bodyto process Personal Data (Purpose). Where the Supplier is relying on Domestic Law as the basis for processing Personal Data, the Supplier shall promptly notify the Customer of this before performing the processing required by the Domestic Law unless those Domestic Laws prohibit the Supplier from so notifying the Customer;
22.2.3 implement 14.5.2 ensure that any personnel engaged and authorised by the Supplier to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality;
14.5.3 notify the Customer without undue delay on becoming aware of a personal data breach involving the Personal Data;
14.5.4 ensure that it has in place appropriate technical and organisational measures measures, reviewed and approved by the Customer, to protect the Personal Data against unauthorised or unlawful Processing processing of Personal Data and against accidental lossloss or destruction of, destructionor damage to, damagePersonal Data, alteration or disclosure. These measures shall be appropriate to the harm which that might result from any the unauthorised or unlawful Processing, processing or accidental loss, destruction or damage and the nature of the data to the Personal Data and be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
14.5.5 assist the Customer insofar as this is possible (taking into account the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure processing and the reliability of any Supplier’s Staff who have access information available to the Personal Data;
22.2.5 obtain prior Approval from Supplier), and at the Authority Customer's cost and written request, in order to transfer the Personal Data responding to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation subject and in accordance with ensuring the AuthorityCustomer's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework AgreementData Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(b) provide a 14.5.6 at the written description direction of the technical Customer, delete or return Customer Personal Data and organisational methods employed copies thereof to the Customer on termination of the agreement unless the Supplier is required by Domestic Law to continue to process that Customer Personal Data. For the purposes of this Clause 14.5.6, Customer Personal Data shall be considered deleted where it is put beyond further use by the Supplier; and
14.5.7 maintain records to demonstrate its compliance with this Clause 14.
14.6 The Customer provides its prior, general authorisation for the Supplier to:
14.6.1 appoint processors to process the Customer Personal Data, provided that the Supplier:
a. shall ensure that the terms on which it appoints such processors comply with Data Protection Legislation, and are consistent with the obligations imposed on the Supplier in this Clause 14;
b. shall remain responsible for the acts and omission of any such processor as if they were the acts and omissions of the Supplier; and
c. shall inform the Customer of any intended changes concerning the addition or replacement of the processors, thereby giving the Customer the opportunity to object to such changes provided that if the Customer objects to the changes and cannot demonstrate, to the Supplier's reasonable satisfaction, that the objection is due to an actual or likely breach of Data Protection Legislation, the Customer shall indemnify the Supplier for any losses, damages, costs (including legal fees) and expenses suffered by the Supplier for Processing in accommodating the objection.
14.6.2 transfer Personal Data (within outside of the timescales UK as required for the Purpose, provided that the Supplier shall ensure that all such transfers are effected in accordance with Data Protection Legislation. For these purposes, the Customer shall promptly comply with any reasonable request of the Supplier, including any request to enter into standard data protection clauses adopted by the Authority); and
EU Commission from time to time (cwhere the EU GDPR applies to the transfer) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it adopted by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, Commissioner from time to time (where the Authority UK GDPR applies to the transfer).
14.7 Either party may, at any time on not less than 30 days' notice, revise this Clause 16 by replacing it with any applicable controller to processor standard clauses or Other Contracting Body concerned consents similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to Processing and/or transfer outside the European Economic Area, to comply with:this agreement).
(i) the obligations 14.8 The Supplier's liability for losses arising from breaches of a Data Controller under the Eighth Data Protection Principle this Clause 14 is as set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedClause 16.4.2.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Samples: Terms and Conditions for Supply of Goods and Services
Data Protection. 22.1 28.1 With respect to the Partiesparties' rights and obligations under this Framework Funding Agreement, the Parties parties agree that the Authority Secretary of State is the Data Controller and that the Supplier ERDF Recipient is the Data Processor.
22.2 28.2 The Supplier shall:ERDF Recipient shall:-
22.2.1 Process (a) process the Personal Data only in accordance with instructions from the Authority Secretary of State (which may be specific instructions or instructions of a general nature as set out in this Framework Funding Agreement or as otherwise notified by the Authority Secretary of State to the Supplier ERDF Recipient during the Termterm of this Funding Agreement);
22.2.2 Process (b) process the Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Services Project Activities or as is required by Law or any Regulatory Body;
22.2.3 (c) implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 (d) take all reasonable steps to ensure the reliability of any Supplier’s Staff ERDF Recipient Personnel who have access to the Personal Data;
22.2.5 (e) obtain prior Approval written consent from the Authority Secretary of State in order to transfer the Personal Data to any Sub-Contractors contractors or Affiliates affiliates for the provision of the ServicesProject Activities;
22.2.6 (f) ensure that all Supplier Staff ERDF Recipient Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)clause 20;
22.2.7 (g) ensure that none of Supplier’s Staff ERDF Recipient Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthoritySecretary of State;
22.2.8 (h) notify the Authority Secretary of State (within five (5Working Days) Working Days if it receives:receives:-
(ai) a request from a Data Subject to have access to that person's Personal Data; or
(bii) a complaint or request relating to the Authority's Secretary of State’s obligations under the Data Protection Legislation;
22.2.9 (i) provide the Authority Secretary of State with full cooperation and assistance in relation to any complaint or request made, including by:by:-
(ai) providing the Authority Secretary of State with full details of the complaint or request;
(bii) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's Secretary of State’s instructions;
(ciii) providing the Authority Secretary of State with any Personal Data personal data it holds in relation to a Data Subject (within the timescales required by the AuthoritySecretary of State); and
(div) providing the Authority Secretary of State with any information requested by the AuthoritySecretary of State;
22.2.10 The Supplier shall:
(aj) permit the Authority Secretary of State or a representative of the Authority’s Representative Secretary of State (Following the closure of the UK Audit Commission on 31 March 2015 visit xxxxx://xxx.xxx.xx/government/uploads/system/uploads/attachment_data/fil e/418033/AC_Future_functions_at_a_glance.pdf to identify which organisation is the successor body or repository for information in a number of common scenarios.), to inspect and audit (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the SupplierERDF Recipient's data Data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractorscontractors) and comply with all reasonable requests or directions by the Authority Secretary of State to enable the Authority Secretary of State to verify and/or procure that the Supplier ERDF Recipient is in full compliance with its Data Processing obligations under this Framework Funding Agreement;
(bk) provide a written description of the technical and organisational methods employed by the Supplier ERDF Recipient for Processing processing Personal Data (within the timescales required by the AuthoritySecretary of State); and
(cl) not cause or permit to be Processed and/or otherwise transferred Process Personal Data outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned Secretary of State and, where the Authority or Other Contracting Body concerned Secretary of State consents to Processing and/or transfer outside the European Economic Areaa transfer, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedSecretary of State.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Samples: Funding Agreement
Data Protection. 22.1 With respect The SERVICE PROVIDER’s attention is hereby drawn to the Parties' rights Data Protection Requirements. The CUSTOMER and the SERVICE PROVIDER shall observe their obligations under the Data Protection Requirements. Where the SERVICE PROVIDER, pursuant to its obligations under this Framework AgreementContract, undertakes the Parties agree that Processing of Personal Data on behalf of the Authority is CUSTOMER, it shall: carry out the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Processing of Personal Data only in accordance with instructions from the Authority CUSTOMER (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement Contract or as otherwise notified by the Authority CUSTOMER to the Supplier SERVICE PROVIDER during the Term);
22.2.2 Process ; carry out the Processing of Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Ordered Services or as is required by Law or any Regulatory Body;
22.2.3 ; implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 ; take all reasonable steps to ensure the reliability of any Supplier’s Staff SERVICE PROVIDER personnel who have access to the Personal Data;
22.2.5 ; obtain prior Approval written consent from the Authority CUSTOMER in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Ordered Services;
22.2.6 ; ensure that all Supplier Staff any SERVICE PROVIDER personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 15; ensure that none of Supplier’s Staff the SERVICE PROVIDER personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 CUSTOMER; notify the Authority CUSTOMER (within five (5) Working Days Days) if it receives:
(a) : a request from a Data Subject to have access to that person's ’s Personal Data; or
(b) or a complaint or request relating to the Authority's CUSTOMER’s obligations under the Data Protection Legislation;
22.2.9 Requirements; provide the Authority CUSTOMER with full cooperation and assistance in relation to any complaint or request made, including by:
(a) : providing the Authority CUSTOMER with full details of the complaint or request;
(b) ; complying with a data access request within the relevant timescales set out in the Data Protection Legislation Requirements and in accordance with the Authority's CUSTOMER’s instructions;
(c) ; providing the Authority CUSTOMER with any Personal Data it holds in relation to a Data Subject (within the timescales required by the AuthorityCUSTOMER); and
(d) and providing the Authority CUSTOMER with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) CUSTOMER; permit the Authority CUSTOMER or the Authority’s Representative its representatives (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, audit the Supplier's SERVICE PROVIDER’s data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority CUSTOMER to enable the Authority CUSTOMER to verify and/or procure that the Supplier SERVICE PROVIDER is in full compliance with its obligations under this Framework Agreement;
(b) Contract. In this respect, the SERVICE PROVIDER shall be responsible for maintaining the confidentiality of information relating to its other clients; provide a written description of the technical and organisational methods employed by the Supplier SERVICE PROVIDER for Processing Personal Data (within the timescales required by the AuthorityCUSTOMER); and
(c) and not cause or permit to be Processed and/or otherwise transferred undertake the Processing of Personal Data outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned CUSTOMER and, where the Authority or Other Contracting Body concerned CUSTOMER consents to Processing and/or transfer outside the European Economic Areaa transfer, to comply with:
(i) : the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) and any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 CUSTOMER. The Supplier SERVICE PROVIDER shall comply at all times with the Data Protection Legislation Requirements and shall not perform its obligations under this Framework Agreement Contract in such a way as to cause the Authority CUSTOMER to breach any of its applicable obligations under the Data Protection Legislation.Requirements. The CUSTOMER may from time to time serve on the SERVICE PROVIDER an information notice requiring the SERVICE PROVIDER within such time and in such form as is specified in the information notice, to furnish to the CUSTOMER such information as the CUSTOMER may reasonably require relating to: compliance by the SERVICE PROVIDER with the SERVICE PROVIDER’s obligations under this Contract in connection with the Processing of Personal Data; and/or the rights of Data Subjects, including but not limited to subject access rights. The SERVICE PROVIDER will allow its data Processing facilities, procedures and documentation to be submitted for scrutiny by the CUSTOMER or its auditors in order to ascertain compliance with the relevant laws of the United Kingdom and the terms of this Contract. In this respect, the SERVICE PROVIDER shall be responsible for maintaining the confidentiality of information relating to its other clients. With respect to the parties’ rights and obligations under this Contract, the parties acknowledge that, except where otherwise agreed, the CUSTOMER is the Data Controller and the SERVICE PROVIDER is the Data Processor. Where the SERVICE PROVIDER wishes to appoint, in accordance with the provisions of Clause 31, a Sub-Contractor to assist it in providing the Ordered Services and such assistance includes the Processing of Personal Data on behalf of the CUSTOMER, then, subject always to compliance by the SERVICE PROVIDER with the provisions of Clause 31 relating to the appointment of Sub-Contractors, the CUSTOMER hereby grants to the SERVICE PROVIDER a delegated authority to appoint on the CUSTOMER’S behalf such Sub-Contractor to undertake the Processing of Personal Data provided that the SERVICE PROVIDER shall notify the CUSTOMER in writing of such appointment and the identity and location of such Sub-Contractor. The SERVICE PROVIDER warrants that such appointment shall be on substantially the same terms with respect to Data Protection Requirements as are set out in this Contract, including the terms set out in Clause 15.2. Any Sub-Contractor appointed under the provisions of this Clause 15.6 shall, for the purposes of Schedule 2-8, be regarded as a principal Sub-Contractor and shall be specified in Table 1 of Schedule 2-8. Save as set out in this Clause 15, any unauthorised Processing, use or disclosure of Personal Data by the SERVICE PROVIDER is strictly prohibited. The SERVICE PROVIDER shall be liable for and shall indemnify (and keep indemnified) the CUSTOMER against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and disbursements on a solicitor and client basis) and demands incurred by the CUSTOMER which arise directly or in connection with the SERVICE PROVIDER’s data Processing activities under this Contract, including without limitation those arising out of any third party demand, claim or action, or any breach of contract, negligence, fraud, wilful misconduct, breach of statutory duty or non-compliance with any part of the Data Protection Requirements by the SERVICE PROVIDER or its employees, servants, agents or Sub-Contractors. If the SERVICE PROVIDER is responsible for storing any CUSTOMER data as part of the Ordered Services then:
Appears in 1 contract
Samples: Telecommunications
Data Protection. 22.1 With respect 12.1 Each party shall comply with Data Protection Law to the Parties' rights extent applicable to it.
12.2 Each party acknowledges and obligations under this Framework Agreementagrees that:
12.2.1 each party acts as an independent controller of personal data relating to Customer Representatives; and
12.2.2 OneMSP acts as the Customer’s processor of personal data to the extent that it processes personal data in the course of providing Products, for instance personal data shown on screen during a remote support session or stored on infrastructure managed by OneMSP.
12.3 Each party shall provide reasonable assistance and information to the other party on written request in relation to any request, complaint or query made by a data subject of personal data processed in relation to or due to the provision of the Products, or by any supervisory authority.
12.4 Except to the extent otherwise agreed on the Order, the Parties parties agree that that, where OneMSP acts as the Authority Customer’s processor, the following description applies to OneMSP’s processing of the Personal Data:
12.4.1 the subject matter, nature and purpose of the processing is the Data Controller provision of managed IT services to the Customer and that it’s users;
12.4.2 the Supplier categories of data subjects are the Customer’s personnel;
12.4.3 the category of personal data processed is the Data Processorcontact details of the Customer’s personnel used in the provision of support, and such personal data that is shown on those users’ screen whilst OneMSP is providing remote support; and
12.4.4 the duration of processing is the Term, (the “Description of Processing”).
22.2 The Supplier 12.5 Where OneMSP processes personal data on behalf of the Customer as the Customer’s processor pursuant to this Agreement (“Personal Data”), or uses a sub-contractor to do so, OneMSP shall:
22.2.1 Process 12.5.1 process the Personal Data only in accordance with on behalf of the Customer and only for the purposes of performing its obligations under the Agreement, which the parties agree are, taken together, the Customer’s written instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during for processing the Term)Personal Data;
22.2.2 Process 12.5.2 ensure that all persons with access to the Personal Data only are subject to the extent, and in such manner, as it necessary for the provision an obligation of the Services confidentiality or as is required by Law or any Regulatory Bodyare under an appropriate statutory obligation of confidentiality;
22.2.3 12.5.3 implement appropriate the technical and organisational measures required by Article 32 GDPR, taking into account the Description of Processing;
12.5.4 only engage a sub-processor, or disclose Personal Data to protect a sub-processor, if either they are named in the Sub-Processor List as at the Effective Date or where:
(a) the Supplier has added such sub-processor to the Sub-Processor List (for which the Customer may subscribe to email updates via the Sub-Processor List); and
(b) the Customer has not objected to such appointment within seven days of the sub-processor being added to the Sub-Processor List, provided that any such objection must be based upon reasonable evidence (which the Customer shall provide to the Supplier) that the appointment of such sub- processor would materially reduce the level of security of the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate Data;
12.5.5 where the Customer objects to the harm appointment of a sub-processor pursuant to clause 12.5.4(B), at its option by giving the Customer notice of its intention, do one of the following:
(a) propose a different sub-processor (such sub-processor’s appointment still subject to clause 12.5.4); or
(b) modify the Services or the way in which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage they are provided to the Personal Data and having regard to the nature avoid processing of the Personal Data which is to be protectedby that sub-processor, provided that such modification does not materially degrade the Services;
22.2.4 take all reasonable steps 12.5.6 when appointing a sub-processor:
(a) ensure that the sub-processor complies with Data Protection Laws;
(b) engage the sub-processor on a written agreement giving commitments in relation to ensure the reliability processing of any Supplier’s Staff who have access the Personal Data no less onerous on the sub- processor than this clause 12.5 is on OneMSP; and
(c) remain liable to the Customer for the acts and omissions of the sub- processor in relation to the Personal Data;
22.2.5 obtain prior Approval from 12.5.7 taking into account the Authority nature of the processing and the information available to OneMSP, and at the Customer’s cost, provide the Customer with such information that it requires in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receiveswith:
(a) Articles 32, 35 and 36 GDPR; and
(b) Chapter III GDPR, in each case provided that such information has not already been provided to the Customer by OneMSP;
12.5.8 in the event that it becomes aware that it has experienced a request from a personal data breach in respect of such Personal Data:
(a) notify the Customer without undue delay after becoming aware of that personal data breach, providing as much information about the nature and impact of it, including the specific categories of Personal Data Subject affected by it, as OneMSP is reasonably able to have access provide (the Customer acknowledges that such information may be provided in stages as the OneMSP’s investigation proceeds, if it is reasonable to that person's do so); and
(b) support and co-operate with the Customer in collecting the information needed by the Customer to comply with its notification obligations under Data Protection Laws to the relevant supervisory authorities and affected data subjects, as the Customer reasonably requires;
12.5.9 at the Customer’s option, delete or return to the Customer the Personal Data when it ceases to provide the relevant Services, including all copies of it unless either:
(a) applicable law requires OneMSP to retain the Personal Data; or
(b) a complaint OneMSP requires such Personal Data in connection with actual or request relating potential legal proceedings;
12.5.10 only transfer the Personal Data outside of the European Economic Area in compliance with Data Protection Laws;
12.5.11 make available to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority Customer such information that it reasonably requests where that information is necessary to demonstrate OneMSP’s compliance with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authoritythis clause 12.5; and
12.5.12 allow the Customer, or its external auditor which is not a direct competitor of OneMSP (d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (and subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's audit OneMSP’s data Processing processing activities (and/or and those of its agentsrelevant Affiliates, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreementclause 12.5Error! Reference source not found., provided that:
(a) such right of audit shall not be exercised by the Customer more than once each year, unless specifically required by a supervisory authority of competent jurisdiction;
(b) provide a the Customer gives OneMSP not less than 30 days’ prior written description notice of its intention to so audit, unless the Customer has reasonable grounds to suspect non-compliance with this clause 12.5;
(c) the Customer uses or procures that its auditor uses all reasonable efforts to avoid disruption to OneMSP’s business or operations;
(d) neither the Customer nor its auditor will thereby be entitled to access to any data of any other customer of OneMSP, or direct access to any of the technical Supplier’s or its Affiliates’ systems, unless specifically ordered otherwise by a supervisory authority of competent jurisdiction;
(e) any and organisational methods employed by all information thereby coming into the Supplier possession of the Customer or its auditor will be the confidential information of OneMSP or its relevant Affiliate and the Customer will not use or allow it to be used for Processing Personal Data (within the timescales any other purposes whatsoever and will not disclose, and will procure that is not disclosed, to any third party unless required by the Authority)law; and
(cf) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area Customer reimburses OneMSP for any Personal Data supplied to costs reasonably incurred by it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned andand its relevant Affiliates, including for its personnel’s time, except where the Authority audit identifies a material breach of this clause 12.5 by OneMSP or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedits relevant Affiliates.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Samples: Terms and Conditions
Data Protection. 22.1 With respect 10.1 For the purposes of this clause 10 references to "personal data", "data subject", “personal data breach”, "processing", "data processor" and "data controller" shall have the Parties' rights meaning specified in the Data Protection Xxx 0000 or with effect from 25th May 2018 the General Data Protection Regulation (EU) 2016/679 and any legislation replacing or supplementing the same.
10.2 Each party shall comply with any applicable data protection, privacy or similar laws anywhere in the world (Data Protection Laws), including, the Data Protection Xxx 0000 and the General Data Protection Regulation (EU) 2016/679, that apply in relation to any personal data processed in connection with this agreement, and render such assistance and co-operation as is reasonably necessary or reasonably requested by the other party.
10.3 When Talisman Innovations processes any personal data collected from or about individuals on the Customer’s behalf when performing its obligations under this Framework Agreementagreement, the Parties agree parties record their intention that the Authority is Customer shall be the Data Controller data controller in respect of such personal data and Talisman Innovations shall be the data processor in relation to such personal data and Talisman Innovations agrees that the Supplier is the Data Processor.
22.2 The Supplier shallit will:
22.2.1 Process the Personal Data 10.3.1 process such personal data only in accordance with instructions from the Authority (Customer’s written instructions;
10.3.2 promptly notify the Customer if Talisman Innovations receives notice of any complaint or communication which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority relates to the Supplier during the Term)processing of such personal data or to either party's compliance with Data Protection Laws unless legally prohibited;
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement 10.3.3 take appropriate technical and organisational security measures to protect the Personal Data against unauthorised or unlawful Processing processing of such personal data and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction loss of or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority such personal data in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply accordance with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Seventh Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales Principle as set out in the Data Protection Legislation Xxx 0000 and any legislation replacing or supplementing the same, which shall include the measures set out in accordance this agreement;
10.3.4 not engage another processor without the prior specific or general written consent of the Customer;
10.3.5 as an exception to the requirements of 10.3, the Customer agrees that in an emergency situation where disclosure or transfer of such personal data is necessary to preserve the integrity of the personal data, Talisman Innovations shall be entitled to disclose or transfer such personal data to a third party to the extent only as is required for such purpose. Talisman Innovations shall inform the Customer of the intended disclosure or transfer, together with the Authority's instructionsidentity of the third party, where possible prior to the event or where pre-notification is not possible as soon as possible after the event, in order to give the Customer the opportunity to object to such disclosure or transfer;
(c) providing the Authority 10.3.6 ensure that with effect from 25th May 2018 any Personal Data it holds in relation disclosure or transfer of such personal data to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority third parties pursuant to clauses 10.3.4 or the Authority’s Representative (10.3.5 shall be made subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's same data Processing activities (and/or those protection obligations as contained in this clause 10.3 by way of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests a contract or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations other legal act under this Framework AgreementEU or Member State law;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) 10.3.7 not cause or permit any personal data to be Processed and/or otherwise transferred to countries outside the European Economic Area any Personal Data supplied to it that have not received a binding adequacy decision by the Authority European Commission or any Other Contracting Body without competent national data protection authority unless subject to the prior written consent terms of the Authority EU Standard Contractual Clauses or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or other appropriate transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing mechanism that provides an adequate level of protection in accordance with applicable Data Protection Laws;
10.3.8 give reasonable assistance to the Customer to enable it to respond within required timescales to a request made by a data subject to exercise his or her rights under Data Protection Laws in relation to personal data processed by Talisman Innovations on behalf of the Customer;
10.3.9 taking into account the nature of Talisman Innovations’ processing and the information available to Talisman Innovations (i) provide reasonable assistance to the Customer in undertaking data protection impact assessments relating to the Services provided by Talisman Innovations; and (ii) provide reasonable assistance to the Customer in ensuring compliance with the Customer’s security and breach notification obligations under Data Protection Laws;
10.3.10 ensure that persons authorized on behalf of Talisman Innovations and its sub- contractors to process such personal data are committed to contractually binding confidentiality commitments or are subject to a statutory obligation of confidentiality;
10.3.11 promptly notify the Customer if it becomes aware of any Personal Data personal data breach that involves personal data processed by Talisman Innovations on behalf of the Customer;
10.3.12 take all reasonable steps to address such a personal data breach, including, where appropriate, measures to mitigate its possible adverse effects and shall consult with the Customer in respect of such resolution or mitigation;
10.3.13 at the Customer’s option and expense, delete or return in accordance with clause 15.6, all such personal data to the Customer on termination of this agreement, and delete existing copies except to the extent that retention of the personal data is transferredrequired by law; and
(ii) any reasonable instructions notified 10.3.14 make available to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at Customer and its regulators all times information reasonably necessary to demonstrate compliance with the Data Protection Legislation and shall not perform its obligations under in this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislationclause 10.3.
Appears in 1 contract
Samples: Tide Platform Services Agreement
Data Protection. 22.1 With respect 1.2.1 The Parties acknowledge their respective duties under the DPA and shall give all reasonable assistance to each other where appropriate or necessary to comply with such duties.
1.2.2 To the Parties' rights and extent that the Service Provider is acting as a Data Processor on behalf of the Council, the Service Provider shall, in particular, but without limitation:
(a) only process such Personal Data and/or Sensitive Personal Data as is necessary to perform its obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified any instruction given by the Authority to the Supplier during the Term)Council under this Agreement;
22.2.2 Process the Personal Data only to the extent, and (b) put in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement place appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processingprocessing of such Personal Data and/or Sensitive Personal Data, and against the accidental loss, loss or destruction of or damage to the such Personal Data and and/or Sensitive Personal Data having regard to the nature specific requirements in this Agreement, the state of technical development and the level of harm that may be suffered by a Data Subject whose Personal Data which and/or Sensitive Personal Data is to be protectedaffected by such unauthorised or unlawful processing or by its loss, damage or destruction;
22.2.4 (c) take all reasonable steps to ensure the reliability of staff who will have access to such Personal Data and/or Sensitive Personal Data, and ensure that such staff are properly trained in protecting Personal Data and Sensitive Data;
(d) provide the Council with such information as the Council may reasonably require to satisfy itself that the Service Provider is complying with its obligations under the DPA;
(e) promptly notify the Council of any Supplier’s Staff who have requests for disclosure of or access to the Personal Data and/or Sensitive Personal Data;
22.2.5 obtain prior Approval from (f) promptly notify the Authority in order to transfer the Personal Data to Council of any Sub-Contractors or Affiliates for the provision breach of the Servicessecurity measures required to be put in place pursuant to this clause 1.2.2;
22.2.6 (g) ensure it does not knowingly or negligently do or omit to do anything which places the Council in breach of the Council’s obligations under the DPA.
(h) to the extent that any Council data is held and/or processed by the Service Provider, the Service Provider shall supply that Council data to the Council as requested by the Council.
(i) ensure that all Supplier Staff it is registered under the DPA and the registration covers any processing required to access under this Agreement.
1.2.3 The Service Provider and the Personal Data are informed of the confidential nature of the Council shall ensure that Personal Data and comply with the obligations set out in this Clause 22 (sensitive personal Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and is safeguarded at all times in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedlaw.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Samples: End User Licence Agreement
Data Protection. 22.1 23.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority Commissioner is the Data Controller and that the Supplier is the Data Processor.
22.2 23.2 The Supplier shall:
22.2.1 23.2.1 Process the any Personal Data (as defined in the Data Protection Act 1998 as the same may be amended, replaced or re-enacted from time to time, any applicable statutory or regulatory provisions and all European Directives and regulations in force from time to time relating to the protection and transfer of personal data and any successor legislation without limitation including the General Data Protection Regulation (EU) 2016/679 with effect from 25 May 2018, together known as the “Data Protection Laws”) only in accordance with instructions from the Authority Commissioner (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority Commissioner to the Supplier during Supplier) and in line with the Term)Data Protection Laws;
22.2.2 23.2.2 Process the Personal Data only to the extent, and in such manner, as it is necessary for the provision delivery of the Services Supplier’s services or as is required by Law law or any Regulatory Bodyregulatory body;
22.2.3 23.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processingprocessing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 23.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 and ensure that all Supplier Staff staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)clause 23;
22.2.7 23.2.5 ensure that none of Supplier’s Staff no staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCommissioner;
22.2.8 23.2.6 notify the Authority Commissioner (within five (5) Working Days Days) if it receives:
(a) 23.2.6.1 a request from a Data Subject to have access to that person's Personal Data; or
(b) 23.2.6.2 a complaint or request relating to the Authority's Commissioner’s obligations under the Data Protection LegislationLaws;
22.2.9 23.2.7 provide the Authority Commissioner with full cooperation and assistance in relation to any complaint or request made, including by:
(a) 23.2.7.1 providing the Authority Commissioner with full details of the complaint or request;
(b) 23.2.7.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation Laws and in accordance with the Authority's Commissioner’s instructions;
(c) 23.2.7.3 providing the Authority Commissioner with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the AuthorityCommissioner); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Samples: Supply Agreement
Data Protection. 22.1 With respect The Parties agree that in relation to:
22.1.1 Personal Data processed by the Provider in providing Services under this Agreement (for example, patient details, medical history and treatment details), the Provider shall be the sole Data Controller; and
22.1.2 Personal Data, the processing of which is required by the Commissioner for the purposes of quality assurance, performance management and contract management the Commissioner and the Provider will be independent Data Controllers; together the “Agreed Purpose”.
22.2 Where the Commissioner requires information under clause 9.1.2 above, the Personal Data requirements shall be as set out in Schedule 2, including the type of Personal Data and duration of processing. Each Party shall comply with all the obligations imposed on a Data Controller under the Data Protection Laws in relation to all Personal Data that is processed by it in the Parties' rights and course of performing its obligations under this Framework Agreement, the Parties agree that the Authority is .
22.3 Any material breach of the Data Controller and that Protection Laws by one Party shall, if not remedied within fourteen (14) days of written notice from the Supplier is other Party, gives grounds to the Data Processorother Party to terminate this Agreement with immediate effect.
22.2 The Supplier 22.4 In relation to the Processing of any Personal Data, each Party shall:
22.2.1 Process 22.4.1 ensure that it has all necessary notices and consents in place to enable lawful sharing of Personal Data to the Permitted Recipients for the Agreed Purpose;
22.4.2 give full information to any Data Subject whose Personal Data may be processed under this Agreement of the nature of such Processing;
22.4.3 process the Personal Data only in accordance with instructions from for the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term)Agreed Purpose;
22.2.2 Process 22.4.4 not disclose or allow access to the Personal Data only to anyone other than the Permitted Recipients;
22.4.5 ensure that all Permitted Recipients are reliable and have had sufficient training pertinent to the extent, care and in such manner, as it necessary for the provision handling of the Services or as is required by Law or any Regulatory BodyPersonal Data;
22.2.3 implement 22.4.6 ensure that all Permitted Recipients are subject to written contractual obligations concerning the Personal Data (including obligations of confidentiality) which are no less onerous than those imposed by this Agreement;
22.4.7 ensure that it has in place appropriate technical and organisational measures measures, to protect the Personal Data against unauthorised or unlawful Processing of Personal Data and against accidental lossloss or destruction of, destructionor damage to, damage, alteration Personal Data in accordance with Article 32 GDPR;
22.4.8 not transfer any Personal Data outside the European Economic Area unless the transferor ensures that (i) the transfer is to a country approved by the European Commission as providing adequate protection pursuant to Article 45 GDPR; (ii) there are appropriate safeguards in place pursuant to Article 46 GDPR; or disclosure. These measures shall be appropriate (iii) one of the derogations for specific situations in Article 49 GDPR applies to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to transfer; and
22.4.9 assist the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority other Party (at its own cost) in order to transfer the Personal Data responding to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's and in ensuring its compliance with all applicable requirements and obligations under the Data Protection Legislation;Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or the UK’s Information Commissioner’s Office.
22.2.9 provide 22.5 Each Party shall notify the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details other Party without undue delay on becoming aware of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations Breach under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Data Protection. 22.1 With respect 6.1 The Parties agree that in relation to:
6.1.1 Personal Data processed by the Contractor in providing Services under this Agreement (for example, patient details, medical history and treatment details), the Contractor shall be the sole Data Controller; and
6.1.2 Personal Data, the processing of which is required by CGL or the Head Commissioner for the purposes of quality assurance, performance management and contract management CGL, the Head Commissioner and the Contractor will be independent Data Controllers; together the “Agreed Purpose”.
6.2 Where CGL or the Head Commissioner requires information under clause 6.1.2 above, the Contractor shall consider whether the requirement can be met by providing anonymised or aggregated data which does not contain Personal Data. Where Personal Data must be shared in order to meet the Parties' rights requirements of CGL or the Head Commissioner, the Contractor shall provide such information in pseudonymised form where possible.
6.3 Schedule 2 sets out the categories of Data Subjects, types of Personal Data, Processing operations (including scope, nature and purpose of Processing) and the duration of Processing.
6.4 Each Party shall comply with all the obligations imposed on a Data Controller under the Data Protection Laws in relation to all Personal Data that is processed by it in the course of performing its obligations under this Framework Agreement, the Parties agree that the Authority is .
6.5 Any material breach of the Data Controller and that Protection Laws by one Party shall, if not remedied within fourteen (14) days of written notice from the Supplier is other Party, gives grounds to the Data Processorother Party to terminate this Agreement with immediate effect.
22.2 The Supplier 6.6 In relation to the Processing of any Personal Data, each Party shall:
22.2.1 Process 6.6.1 ensure that it has all necessary notices and consents in place to enable lawful sharing of Personal Data to the Permitted Recipients for the Agreed Purpose;
6.6.2 give full information to any Data Subject whose Personal Data may be processed under this Agreement of the nature of such Processing;
6.6.3 process the Personal Data only in accordance with instructions from for the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term)Agreed Purpose;
22.2.2 Process 6.6.4 not disclose or allow access to the Personal Data only to anyone other than the Permitted Recipients;
6.6.5 ensure that all Permitted Recipients are reliable and have had sufficient training pertinent to the extent, care and in such manner, as it necessary for the provision handling of the Services or as is required by Law or any Regulatory BodyPersonal Data;
22.2.3 implement 6.6.6 ensure that all Permitted Recipients are subject to written contractual obligations concerning the Personal Data (including obligations of confidentiality) which are no less onerous than those imposed by this Agreement;
6.6.7 ensure that it has in place appropriate technical and organisational measures measures, to protect the Personal Data against unauthorised or unlawful Processing of Personal Data and against accidental lossloss or destruction of, destructionor damage to, damage, alteration Personal Data in accordance with Article 32 GDPR;
6.6.8 not transfer any Personal Data outside the European Economic Area unless the transferor ensures that (i) the transfer is to a country approved by the European Commission as providing adequate protection pursuant to Article 45 GDPR; (ii) there are appropriate safeguards in place pursuant to Article 46 GDPR; or disclosure. These measures shall be appropriate (iii) one of the derogations for specific situations in Article 49 GDPR applies to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to transfer; and
6.6.9 assist the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority other Party (at its own cost) in order to transfer the Personal Data responding to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's and in ensuring its compliance with all applicable requirements and obligations under the Data Protection Legislation;Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or the UK’s Information Commissioner’s Office.
22.2.9 provide 6.7 Each Party shall notify the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details other Party without undue delay on becoming aware of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations Breach under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Samples: Service Level Agreement
Data Protection. 22.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority 17.1. The Customer is the Controller for the Personal Data Controller and that the Supplier DRC is the Data Processor.
22.2 Processor for the Personal Data. The Supplier shall:
22.2.1 Process Processor agrees to process the Personal Data only in accordance with Data Protection Legislation.
17.2. The Parties acknowledge that the Processor may process Personal Data on behalf of the Controller during the term of this Agreement.
17.3. To the extent that the Processor processes Personal Data on behalf of the Controller in connection with this Agreement, the Processor shall:
17.3.1. Solely process the Personal Data for the purposes of fulfilling its obligations under this Agreement and in compliance with the Controller’s written instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or and as otherwise notified may be specified from time to time in writing by the Authority Controller.
17.3.2. Notify the Controller immediately if any instructions of the Controller relating to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision processing of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of unlawful.
17.3.3. Assist the confidential nature of the Personal Data and comply Controller in ensuring compliance with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any Articles 32 to 36 of the GDPR taking into account the nature of the data processing undertaken by the Processor and the information available to the Processor, including (without limitation):
17.3.3.1. Not engage with any Sub-Processor/Sub- Contractor to carry out any processing of Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority Controller (such consent not to be unreasonably withheld), provided that notwithstanding any such consent the Processor shall remain liable for compliance with all of the requirements of this Agreement including in relation to the processing of Personal Data.
17.4. The Processor shall ensure that any persons used by the Processor to process Personal Data are subject to legally binding obligations of confidentiality in relation to the Personal Data and shall ensure that only such persons used by it to provide the Services have undergone training in Data Protection and in the care and handling of Personal Data.
17.5. The Processor shall take appropriate technical and organisational measures against unauthorised or Contracting Body concerned andunlawful processing of Personal Data and against accidental loss or destruction of or damage to Personal Data taking into account the harm that might result from such unauthorised or unlawful processing, where loss, destruction or damage and the Authority nature of the Personal Data to be protected including without limitation, all such measures that may be required to ensure compliance with Article 32 of the GDPR.
17.6. The Processor shall promptly notify the Controller if it receives a request from a Data Subject (Data Subject Access Request) under any Data Protection Legislation in respect of Personal Data.
17.7. The Processor shall provide information and assistance upon request to enable the Controller to notify Data Security Breaches to the Information Commissioner and / or Other Contracting Body concerned consents to Processing and/or affected individuals and / or to any other regulators to whom the Controller is required to notify any Data Security Breaches.
17.8. Upon termination of this Agreement, at the choice of the Controller, the Processor shall delete securely or return all Personal Data to the Controller and delete all existing copies of the Personal Data unless and to the extent that the Processor is required to retain copies of the Personal Data in accordance with Applicable Laws in which case the Processor shall notify the controller in writing of the Applicable Laws which require the Personal Data to be retained.
17.9. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations and allow for and contribute to audits, including inspections, conducted by or on behalf of the Controller or by the Information Commissioners Office (ICO) pursuant to Article 58(1) of the GDPR.
17.10. The Processor shall not transfer any Personal Data outside of the European Economic Area, to comply withArea unless the following conditions are fulfilled:
(ia) the Controller or the Processor has provided appropriate safeguards in relation to the transfer;
b) the Data Subject has enforceable rights and effective legal remedies;
c) the Processor complies with its obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(iid) any the Processor complies with reasonable instructions notified to it in advance by the Authority or Contracting Body concernedController with respect to the processing of the Personal Data.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Samples: General Terms & Conditions
Data Protection. 22.1 With respect The Parties undertake to the Parties' rights and comply with all their respective obligations under this Framework the DPA and warrant that they have in place and shall maintain throughout the continuance of the Agreement, all necessary notifications with the Parties agree that Information Commissioner’s Office as required under the Authority is the Data Controller and that the Supplier is the Data ProcessorDPA.
22.2 The Supplier Broker warrants that to the extent that it transfers Personal Data to Close pursuant to this Agreement, appropriate consent has been obtained from each Data Subject whose Personal Data is transferred
22.3 The Broker shall and upon request from Close, provide a copy of all Customers’ Personal Data held by them in such format and/or media as Close may reasonably specify.
22.4 If and to the extent that Close passes Personal Data to the Broker for processing, the Broker shall:
22.2.1 Process (a) process the Personal Data only for the purpose and in the manner specified by Close, in accordance with Close’s instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority time to the Supplier during the Term);
22.2.2 Process the Personal Data only time and subject to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational security measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental from inadvertent loss, destruction, damage, alteration or destruction and/or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to ;
(b) treat the Personal Data as confidential and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer not disclose the Personal Data to any Sub-Contractors or Affiliates for the provision of the Servicesthird party without Close’s prior written consent;
22.2.6 ensure that all Supplier Staff required to access (c) not transfer the Personal Data outside of the European Economic Area without Close’s prior written consent;
(d) comply with any request from Close requiring the Broker to amend, transfer or delete any Personal Data which was provided by Close;
(e) notify Close immediately if it, receives a complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or either Party’s compliance with the DPA and provide Close with full co-operation and assistance in relation to any such complaint, notice or communication;
(f) promptly inform Close if any Personal Data is lost or destroyed or becomes damaged, corrupted or unusable;
(g) ensure that access to the Personal Data is limited to such Personnel who require access to it for the purposes of enabling the Broker to perform its obligations under this Agreement and provided that such Personnel are informed aware of the confidential nature of the Personal Data and comply with agree to be bound by confidentiality obligations at least equivalent to those imposed on the obligations set out in this Clause 22 Broker hereunder; and
(Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 h) notify the Authority Close within five (5) Working 3 Business Days if it receives:
(a) receives a request from a Data Subject to have for access to that person's ’s Personal Data; or.
(b) a complaint or request relating 22.5 For the avoidance of doubt, Close shall not be required to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with transfer any Personal Data belonging to Customers to the Broker unless it holds has obtained consent from the Customer to do so.
22.6 The Broker agrees to indemnify and keep indemnified and hold Close harmless from and against any and all loss, liability, costs (including professional fees), claims, damages or demands which Close may suffer or for which it may become liable as a result of or in relation to a Data Subject (within the timescales required connection with any breach by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description Broker of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent terms of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedthis clause 22.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Samples: Terms of Trade
Data Protection. 22.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Authority Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Authority Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Goods and Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Authority Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Authority Personal Data and having regard to the nature of the Authority Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Supplier Staff who have access to the Authority Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Authority Personal Data to any Sub-Contractors or Affiliates Affiliated Company for the provision of the Goods and Services;
22.2.6 ensure that all Supplier Supplier’s Staff required to access the Authority Personal Data are informed of the confidential nature of the Authority Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)22;
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Authority Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Authority Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) 22.2.10.1 permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) 22.2.10.2 provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) 22.2.10.3 not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Authority Personal Data and Persona Data supplied to it by the Authority or any Other other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) 22.2.10.3.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) 22.2.10.3.2 any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Samples: Framework Agreement
Data Protection. 22.1 With a) The parties agree that they shall comply with the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018, along with any associated guidance and codes of practice as issued from time to time (collectively “Data Protection Legislation”) with respect to the Parties' rights Services.
b) For the purposes of this Section 16: Data Controller, Data Subjects, Personal Data and obligations Processing shall have the meaning as provided in the Data Protection Legislation
c) The parties agree that they will each act in the capacity of Data Controller in respect of the Personal Data processed under this Framework Agreement, the Parties agree that the Authority is the Data Controller Agreement and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 each will Process the Personal Data only in accordance with instructions from the Authority as independent Data Controllers.
d) The parties (which may be specific instructions including their employee’s agents or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier officers) shall at all times during the Term);
22.2.2 Process period of this Agreement comply with the Personal provisions and obligations imposed by this Section 16 and the Data only Protection Legislation generally, including any requirement to the extentobtain registrations, consents, and in such manner, provide notifications and relevant privacy information to Data Subjects as it necessary required for the provision purposes of the Services or as is required by Law or any Regulatory Body;their obligations under this Agreement.
22.2.3 implement e) The parties warrant and represent that they each have in place appropriate technical and organisational organizational measures to protect the Personal Data against unauthorised accidental or unlawful Processing and against destruction or accidental loss, destructionalteration, damageunauthorized disclosure or access, alteration or disclosure. These measures shall be and which provide a level of security appropriate to the harm which might result from risk represented by the processing and the nature of the data to be protected.
f) Each party shall notify the other without undue delay on becoming aware of any unauthorised or unlawful Processing, accidental loss, destruction or damage breach of the Data Protection Legislation in relation to the Personal Data and having regard Processed under this Agreement.
g) Whilst each party shall be responsible for responding to the nature of any complaint in relation to the Personal Data which is Processed pursuant to be protected;
22.2.4 take all this Agreement, or any request by individuals to exercise the Data Subject's Rights, the parties will co-operate with each other and provide reasonable steps to ensure the reliability of assistance with any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to request, proceedings or inquiry by any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a affected Data Subject to have access to that person's Personal Data; or
(b) a complaint and/or the Information Commissioner or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required other body authorized by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body statute which are concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations in connection with data processed under this Framework Agreement.
h) The provisions of this Section 16 shall apply during the continuance of the Agreement in such a way as to cause the Authority to breach any of and indefinitely after its applicable obligations under the Data Protection Legislationtermination.
Appears in 1 contract
Samples: Consulting Services Agreement
Data Protection. 22.1 With respect 27.1 In this clause 27, the terms, “processing”, “data controller” and “data processor”, “data protection officer” “data subject” “personal data” “personal data breach” shall have the same meanings given to them under UK GDPR or the EU GDPR as the context requires.
27.2 The Supplier acknowledges the only Processing that it is authorised to do is listed in Schedule 7 (Processing Personal Data) by UKRI.
27.3 The Supplier shall notify UKRI immediately if it considers that any of UKRI’s instructions infringe the Data Protection Legislation.
27.4 The Supplier shall provide all reasonable assistance to UKRI in the preparation of any Data Protection Impact Assessment prior to commencing any Processing. Such assistance may, at the discretion of UKRI, include:
27.4.1 a systematic description of the envisaged Processing and the purpose of the Processing;
27.4.2 an assessment of the necessity and proportionality of the Processing in relation to the Parties' Goods and/or Services;
27.4.3 an assessment of the risks to the rights and freedoms of Data Subjects; and
27.4.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
27.5 The Supplier shall, in relation to any Personal Data Processed in connection with its obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shallContract:
22.2.1 27.5.1 Process the that Personal Data only in accordance with instructions from the Authority Schedule 7 (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to Processing Personal Data), unless the Supplier during is required to do otherwise by Law. If it is so required the Term);
22.2.2 Process Supplier shall notify UKRI before Processing the Personal Data only unless prohibited by Law;
27.5.2 ensure that it has in place Protective Measures, (if the Supplier is holding UKRI Data, including back-up data, that it is held by a secure system that complies with the Security Policy and any applicable Security Management Plan) which UKRI may reasonably reject (but failure to the extent, and in such manner, as it necessary for the provision reject shall not amount to approval by UKRI of the Services or as is required by Law or any Regulatory Body;adequacy of the Protective Measures) having taken account of the:
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the a) nature of the Personal Data which is data to be protected;
22.2.4 take b) harm that might result from a Personal Data Breach;
c) state of technological development; and
d) cost of implementing any measures;
27.5.3 ensure that:
a) the Supplier Staff do not Process Personal Data except in accordance with the Contract (and in particular Schedule 7 (Processing Personal Data));
b) it uses all reasonable steps endeavours to ensure the reliability and integrity of any Supplier’s Supplier Staff who have access to the Personal DataData and ensure that they:
(i) are aware of and comply with the Supplier’s duties under this Clauses 28 and 25;
22.2.5 obtain prior Approval from (ii) are subject to appropriate confidentiality undertakings with the Authority in order to transfer the Personal Data to Supplier or any Subsub-Contractors or Affiliates for the provision of the Servicesprocessor;
22.2.6 ensure that all Supplier Staff required to access the Personal Data (iii) are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by UKRI or as otherwise permitted by this Contract; and
(iv) have undergone adequate training in the Authorityuse, care, protection and handling of Personal Data;
22.2.8 notify 27.5.4 not transfer Personal Data outside of the Authority within five (5) Working Days if it receivesUK unless the prior written consent of UKRI has been obtained and the following conditions are fulfilled:
(a) a request from a Data Subject to have access to that person's Personal Datathe transfer is in accordance with Article 45 of the UK GDPR (or section 73 of DPA 2018); or
(b) a complaint UKRI or request relating the Supplier has provided appropriate safeguards in relation to the Authority's transfer (whether in accordance with UK GDPR Article 46 or section 75 of the DPA 2018) as determined by UKRI which could include relevant parties entering into the International Data Transfer Agreement (the “IDTA”), or International Data Transfer Agreement Addendum to the European Commission’s SCCs (the “Addendum”), as published by the Information Commissioner’s Office from time to time, as well as any additional measures determined by UKRI;
c) the Data Subject (as defined by the Data Protection Act 2018) has enforceable rights and effective legal remedies;
d) the Supplier complies with its obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferredtransferred (or, if it is not so bound, uses its best endeavours to assist UKRI in meeting its obligations); and
(iie) the Supplier complies with any reasonable instructions notified to it in advance by UKRI with respect to the Processing of the Personal Data;
27.5.5 where the Personal Data is subject to EU GDPR, not transfer Personal Data outside of the EU unless the prior written consent of UKRI has been obtained and the following conditions are fulfilled:
a) the transfer is in accordance with Article 45 of the EU GDPR; or
b) the transferring Party has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the Authority non-transferring Party which could include relevant parties entering into Standard Contractual Clauses in the European Commission’s decision 2021/914/EU or Contracting Body concerned.such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the non-transferring Party;
22.2.11 The Supplier shall comply at all times c) the Data Subject has enforceable rights and effective legal remedies;
d) the transferring Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
e) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data; and
27.5.6 at the written direction of UKRI, delete or return Personal Data (and any copies of it) to UKRI on termination of this Contract unless the Supplier is required by Law to retain the Personal Data.
27.6 Subject to Clause 28.7, the Supplier shall not perform its obligations notify UKRI immediately if in relation to it Processing Personal Data under or in connection with this Framework Agreement in such Contract it:
27.6.1 receives a way as Data Subject Access Request (or purported Data Subject Access Request);
27.6.2 receives a request to cause the Authority rectify, block or erase any Personal Data;
27.6.3 receives any other request, complaint or communication relating to breach any of its applicable either Party's obligations under the Data Protection Legislation;
27.6.4 receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data Processed under the Contract;
27.6.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
27.6.6 becomes aware of a Personal Data Breach.
27.7 The Supplier’s obligation to notify under Clause 28.6 shall include the provision of further information to UKRI, as details become available.
27.8 Taking into account the nature of the Processing, the Supplier shall provide UKRI with assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 28.6 (and insofar as possible within the timescales reasonably required by UKRI) including by immediately providing:
27.8.1 UKRI with full details and copies of the complaint, communication or request;
27.8.2 such assistance as is reasonably requested by UKRI to enable it to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
27.8.3 UKRI, at its request, with any Personal Data it holds in relation to a Data Subject;
27.8.4 assistance as requested by UKRI following any Personal Data Breach; and/or
27.8.5 assistance as requested by UKRI with respect to any request from the Information Commissioner’s Office or any other regulatory authority, or any consultation by UKRI with the Information Commissioner's Office or any other regulatory authority.
27.9 The Supplier shall maintain complete and accurate records and information to demonstrate its compliance with Clause 28. This requirement does not apply where the Supplier employs fewer than 250 staff, unless:
27.9.1 UKRI determines that the Processing is not occasional;
27.9.2 UKRI determines the Processing includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
27.9.3 UKRI determines that the Processing is likely to result in a risk to the rights and freedoms of Data Subjects.
27.10 The Supplier shall allow for audits of its Data Processing activity by UKRI or UKRI’s designated auditor.
27.11 The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation.
27.12 Before allowing any sub-processor to process any Personal Data related to the Contract, the Supplier must:
27.12.1 notify UKRI in writing of the intended sub-processor and processing;
27.12.2 obtain the written consent of UKRI;
27.12.3 enter into a written agreement with the sub-processor which give effect to the terms set out in this Clause 28 such that they apply to the sub-processor; and
27.12.4 provide UKRI with such information regarding the sub-processor as UKRI may reasonably require.
27.13 To the extent that UKRI provides its consent pursuant to clause 28.12, the Supplier shall flow down the contractual obligations contained in this clause 28 to sub- processors. For the avoidance of doubt, the Supplier shall remain fully liable for all acts or omissions of any of its sub-processor.
27.14 UKRI may, at any time on not less than 30 Working Days’ notice, revise this Clause 28 by replacing it with any applicable controller to Supplier standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Contract).
27.15 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. UKRI may on not less than 30 Working Days’ notice to the Supplier amend this Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
Appears in 1 contract
Samples: Contract for Supply of Goods
Data Protection. 22.1 With respect to the Parties' rights and obligations under this Framework Agreement, the 15.1 The Parties agree that the Authority is will comply with all applicable requirements of the Data Controller and that the Supplier Protection Legislation. This clause is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extentaddition to, and in such mannerdoes not relieve, as it necessary for the provision of the Services remove or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental lossreplace, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the AuthorityParty's obligations under the Data Protection Legislation;
22.2.9 provide . In this clause, Applicable Laws means (for so long as and to the Authority with full cooperation extent that they apply to the Provider) Domestic UK law; and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in Domestic UK Law means the Data Protection Legislation and any other law that applies in accordance with the Authority's instructions;UK.
(c) providing 15.2 During the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those term of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide Agreement it is anticipated that each party shall be a written description of the technical separate and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a individual Data Controller under the Eighth Data Protection Principle set out in Schedule 1 respect of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; andProcessed pursuant to this Framework Agreement. Each party acknowledges that it has obligations under the Data Protection Legislation including, without limitation, to:
(ii) any reasonable instructions notified 15.2.1 Make due notification to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall Supervisory Authority, including in relation to its use and Processing of the Personal Data and comply at all times with the Data Protection Legislation including ensuring that it has all necessary appropriate consents and shall notices in place to enable lawful processing of the Personal Data for the duration and purposes of this Framework Agreement.
15.2.2 Ensure that all Personal Data disclosed or transferred to, or accessed by, the Parties is accurate and up-to-date, as well as adequate, relevant and not perform its obligations excessive to enable them to Process the Personal Data, as envisaged under this Framework Agreement.
15.2.3 Ensure that appropriate operational and technical measures are in place to safeguard against any unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data.
15.2.4 Take reasonable steps to ensure the reliability of any staff who have access to the Personal Data.
15.2.5 Hold the information contained in the Personal Data confidentially.
15.3 In respect of Personal Data processed by the Provider pursuant to this Framework Agreement the Provider shall:
15.3.1 promptly, and in any event within 48 hours of receipt of any Data Subject Request or Authority Correspondence, notify the Council in the event that it receives such a way as Data Subject Request or Authority Correspondence in relation to cause the Authority processing of Personal Data under, or in connection with, this Framework Agreement.
15.3.2 promptly and in no more than 24 hours notify the Council in writing upon it becoming aware of any actual or suspected breach of clause 15.2.3 in relation to breach any of its applicable obligations under the Personal Data Protection Legislation.and shall, within such timescale to be agreed by the Parties (acting reasonably and good faith):
Appears in 1 contract
Samples: Framework Agreement
Data Protection. 22.1 With respect 26.1 Prior to transferring any Personal Data to S4C, the Company shall ensure that it has an appropriate lawful basis for the transfer of the Personal Data to S4C and has ensured an appropriate lawful basis to enable S4C to process the Personal Data for the purposes of exploitation of the Products of the Services and in the administration of this Agreement. Where appropriate, the Producer shall obtain from each contributor identified in the Products of the Services a signed contributor contract (in a form agreed between the parties) stating that the lawful basis for processing non-special category personal data shall be in performance of the contract. All Personal Data supplied to S4C shall be processed in compliance with S4C’s data protection policy and relevant privacy notice in force from time to time.
26.2 Without prejudice to the Parties' rights generality of clause 26.1 above, the Company shall ensure that all contracts with contributors identified in the Products of the Services include that S4C shall be a controller in relation to the relevant contributor’s Personal Data for the purpose of exploitation of the Products of the Services, and shall direct the contributors to a link to the S4C Privacy Notice (available at xxxx://xxx.x0x.xxxxx/media/media_assets/2018.11.29_Privacy_Notice_for_Cont ributors.pdf).
26.3 Both parties agree to comply with all applicable requirements of the Data Protection Laws. This clause 26.3 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Laws.
26.4 Without prejudice to the generality of clause 26.3 above, each party shall, in relation to any Personal Data processed in connection with the performance by the Company of its obligations under this Framework Agreement:
26.4.1 assist the other party, free of charge, to respond to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
26.4.2 maintain adequate records, policies and procedures to demonstrate its compliance with Data Protection Laws, and make such records, policies and procedures available to the other party on reasonable request; and
26.4.3 appoint a data protection officer if required to do so under the Data Protection Laws, or, where it is not required to do so, to appoint an individual responsible for data protection and inform the other party of the name of that individual.
26.5 Without prejudice to the generality of clause 26.3, the parties agree in relation to any Personal Data processed by that party solely as a processor on behalf of the other party as controller under this Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier processor shall:
22.2.1 Process 26.5.1 process the Personal Data only in accordance with instructions from on the Authority (which may be specific instructions or written instructions of a general nature as set out in this Framework Agreement the controller and, on the written direction of the controller, delete or as otherwise notified by the Authority return such Personal Data and copies thereof to the Supplier during the Termcontroller on termination of this Agreement (unless precluded from doing so pursuant to any applicable laws);
22.2.2 Process 26.5.2 allow for audits by the Personal Data only to the extent, and in such manner, as it necessary for the provision controller or its designated auditor of the Services or as is required by Law or any Regulatory Bodyprocessor’s data protection procedures and processes in connection with this Agreement;
22.2.3 implement 26.5.3 ensure that it has in place appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing of Personal Data and against accidental lossloss or destruction of, destructionor damage to, damagePersonal Data, alteration or disclosure. These measures shall be appropriate to the harm which that might result from any the unauthorised or unlawful Processing, processing or accidental loss, destruction or damage and the nature of the data to the Personal Data and be protected, having regard to the nature state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data which is to can be protected;
22.2.4 take all reasonable steps to ensure restored in a timely manner after an incident, and regularly assessing and evaluating the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description effectiveness of the technical and organisational methods employed measures adopted by the Supplier for Processing it);
26.5.4 ensure that all personnel who have access to and/or process Personal Data (within are obliged to keep the timescales required by Personal Data confidential, that they are reliable and understand the Authority); andprocessor’s contractual obligations to the other;
(c) 26.5.5 not cause or permit to be Processed and/or otherwise transferred transfer any Personal Data outside of the European Economic Area any or appoint a third party to process the Personal Data supplied to it by the Authority or any Other Contracting Body without unless the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferredother has been obtained; and
26.5.6 notify the other party without undue delay and no later than within 24 hours on becoming aware of a Personal Data breach. S4C should be notified via the following email address: xxxx@x0x.xxxxx
26.6 Laws and guidelines relating to Personal Data regularly develop and S4C may, at any time on not less than 30 days’ notice, revise this clause 26 in order to reflect any change in good practice or guidelines by replacing them with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (ii) any reasonable instructions notified which shall apply when replaced by attachment to it by the Authority or Contracting Body concernedthis Agreement).
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Samples: Agreement for the Provision of Campaign Project Management and Digital Material Production Services
Data Protection. 22.1 With respect 18.1. The SERVICE PROVIDER’s attention is hereby drawn to the Parties' rights Data Protection Requirements. The AUTHORITY and the SERVICE PROVIDER shall observe their obligations under the Data Protection Requirements.
18.2. Where the SERVICE PROVIDER, pursuant to its obligations under this Framework Agreement, processes Personal Data on behalf of the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier AUTHORITY, it shall:
22.2.1 Process 18.2.1. process the Personal Data only in accordance with instructions from the Authority AUTHORITY (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority AUTHORITY to the Supplier SERVICE PROVIDER during the Term);
22.2.2 Process 18.2.2. process the Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 18.2.3. implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processingprocessing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 18.2.4. take all reasonable steps to ensure the reliability of any Supplier’s Staff SERVICE PROVIDER personnel who have access to the Personal Data;
22.2.5 18.2.5. obtain prior Approval written consent from the Authority AUTHORITY in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 18.2.6. ensure that all Supplier Staff any SERVICE PROVIDER personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)18;
22.2.7 18.2.7. ensure that none of Supplier’s Staff the SERVICE PROVIDER personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityAUTHORITY;
22.2.8 18.2.8. notify the Authority AUTHORITY (within five (5) Working Days Days) if it receives:
(a) 18.2.8.1. a request from a Data Subject data subject to have access to that person's ’s Personal Data; or
(b) 18.2.8.2. a complaint or request relating to the Authority's AUTHORITY’s obligations under the Data Protection LegislationRequirements;
22.2.9 18.2.9. provide the Authority AUTHORITY with full cooperation and assistance in relation to any complaint or request made, including by:
(a) 18.2.9.1. providing the Authority AUTHORITY with full details of the complaint or request;
(b) 18.2.9.2. complying with a data access request within the relevant timescales set out in the Data Protection Legislation Requirements and in accordance with the Authority's AUTHORITY’s instructions;
(c) 18.2.9.3. providing the Authority AUTHORITY with any Personal Data it holds in relation to a Data Subject data subject (within the timescales required by the AuthorityAUTHORITY); and
(d) 18.2.9.4. providing the Authority AUTHORITY with any information requested by the AuthorityAUTHORITY;
22.2.10 The Supplier shall:
(a) 18.2.10. permit the Authority AUTHORITY or the Authority’s Representative its representatives (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with Clause 33, the Supplier's SERVICE PROVIDER’s data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority AUTHORITY to enable the Authority AUTHORITY to verify and/or procure that the Supplier SERVICE PROVIDER is in full compliance with its obligations under this Framework Agreement;
(b) 18.2.11. provide a written description of the technical and organisational methods employed by the Supplier SERVICE PROVIDER for Processing processing Personal Data (within the timescales required by the AuthorityAUTHORITY); and
(c) 18.2.12. not cause or permit to be Processed and/or otherwise transferred process Personal Data outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned AUTHORITY and, where the Authority or Other Contracting Body concerned AUTHORITY consents to Processing and/or transfer outside the European Economic Areaa transfer, to comply with:
(i) 18.2.12.1. the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) 18.2.12.2. any reasonable instructions notified to it by the Authority or Contracting Body concernedAUTHORITY.
22.2.11 18.3. The Supplier SERVICE PROVIDER shall comply at all times with the Data Protection Legislation Requirements and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority AUTHORITY to breach any of its applicable obligations under the Data Protection LegislationRequirements.
18.4. The AUTHORITY may from time to time serve on the SERVICE PROVIDER an information notice requiring the SERVICE PROVIDER within such time and in such form as is specified in the information notice, to furnish to the AUTHORITY such information as the AUTHORITY may reasonably require relating to:
18.4.1. compliance by the SERVICE PROVIDER with the SERVICE PROVIDER’s obligations under this Framework Agreement in connection with the processing of Personal Data; and/or
18.4.2. the rights of data subjects, including but not limited to subject access rights.
18.5. The SERVICE PROVIDER will allow its data processing facilities, procedures and documentation to be submitted for scrutiny by the AUTHORITY or its auditors in order to ascertain compliance with the relevant laws of the United Kingdom and the terms of this Framework Agreement.
18.6. With respect to the parties’ rights and obligations under this Framework Agreement, the parties acknowledge that, except where otherwise agreed, the AUTHORITY is the Data Controller and the SERVICE PROVIDER is the Data Processor. Where the SERVICE PROVIDER wishes to appoint, in accordance with the provisions of Clause 31, a Sub-Contractor to assist it in providing the Services and such assistance includes the processing of Personal Data on behalf of the AUTHORITY, then, subject always to compliance by the SERVICE PROVIDER with the provisions of Clause 31 relating to the appointment of Sub-Contractors, the AUTHORITY hereby grants to the SERVICE PROVIDER a delegated authority to appoint on the AUTHORITY’S behalf such Sub-Contractor to process Personal Data provided that the SERVICE PROVIDER shall notify the AUTHORITY in writing of such appointment and the identity and location of such Sub-Contractor. The SERVICE PROVIDER warrants that such appointment shall be on substantially the same terms with respect to Data Protection Requirements as are set out in this Framework Agreement, including the terms set out in Clause 18.2. Any Sub-Contractor appointed under the provisions of this Clause 18.6 shall, for the purposes of Schedule 9, be regarded as a principal Sub-Contractor and shall be specified in Table 1 of Schedule 9.
18.7. Save as set out in this Clause 18, any unauthorised processing, use or disclosure of Personal Data by the SERVICE PROVIDER is strictly prohibited.
18.8. The SERVICE PROVIDER shall be liable for and shall indemnify (and keep indemnified) the AUTHORITY against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and disbursements on a solicitor and client basis) and demands incurred by the AUTHORITY which arise directly or in connection with the SERVICE PROVIDER’s data processing activities under this Framework Agreement, including without limitation those arising out of any third party demand, claim or action, or any breach of contract, negligence, fraud, wilful misconduct, breach of statutory duty or non-compliance with any part of the Data Protection Requirements by the SERVICE PROVIDER or its employees, servants, agents or Sub-Contractors.
Appears in 1 contract
Samples: Framework Agreement
Data Protection. 22.1 With respect 17.1 The terms Data Controller, Data Processor, Data Subject, Personal Data and Processing shall have the meaning given to the Parties' rights and obligations them in under this Framework Agreement, the Data Protection Laws.
17.2 Each party shall:
17.2.1 comply with all Data Protection Laws;
17.2.2 co-operate with any regulatory authority for data processing; and
17.2.3 keep such records of processing of Customer Personal Data as required under Data Protection Laws.
17.3 The Parties agree each acknowledge that the Authority is the Data Controller may include Personal Data (as further detailed in schedule 2 part 7 paragraph 5) and that the Supplier is Company may, as part of the Services, be a Data Processor in respect of such Personal Data and the Licensee shall be the Data ProcessorController.
22.2 17.4 The Supplier Company agrees that it shall:
22.2.1 17.4.1 Process the Personal Data only strictly in accordance with Data Protection Laws, the terms of this Agreement and the Licensee's instructions from time to time unless otherwise required by law or any regulatory body (in which case the Authority (which may be specific instructions or instructions Company shall, where permitted, inform the Licensee of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Termthat legal requirement before Processing);
22.2.2 Process 17.4.2 in a manner consistent with the Personal Data only to the extentAct, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal rights of the Data against Subject and safeguard such personal Data from unauthorised or unlawful Processing and against processing or accidental loss, destruction, destruction or damage, alteration or disclosure. These and that having regard to the state of technological development and the cost of implementing any measures, such measures shall be ensure a level of security appropriate to the harm which that might result from any unauthorised or unlawful Processing, processing or accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is such data to be protected;
22.2.4 17.4.3 ensure that each of its employees, agents and subcontractors are made aware of its obligations under this clause with regard to the security and protection of such personal Data and take all such reasonable steps to ensure maintain the reliability levels of security and protection provided for in this clause;
17.4.4 not divulge such personal Data whether directly or indirectly to any person, firm or company or otherwise without the express prior written consent of the Licensee except to those of its employees, agents and subcontractors who are engaged in the processing of such personal Data and are subject to the binding obligations referred to in clause 17.4.3 or except as may be required by any law or regulation;
17.4.5 notify the Licensee without undue delay on becoming aware of a personal data breach and cooperate with the Licensee to resolve such issue;
17.4.6 not process or transfer such Personal Data outside of the European Economic Area except as permitted under Data Protection Laws (or as otherwise authorised by the Licensee); and
17.4.7 promptly notify the Licensee of any Supplierbreach or potential breach of this clause or if it otherwise has reason to consider that there has been a Personal Data breach and cooperate with the Licensee to resolve such issue;
17.4.8 provide such assistance as the Licensee may require to allow it to inform a regulatory authority or Data Subject of a Personal Data breach, to conduct a data protection impact assessment or to consult with a regulatory authority regarding the Processing of Personal Data;
17.4.9 at the Licensee’s Staff who expense, provide such assistance as the Licensee may reasonably require to assist it to comply with its obligations to keep the Personal Data secure, allow it to inform a regulatory authority or data subject of a personal data breach, conduct a data protection impact assessment, consult with a regulatory authority regarding the processing of Personal Data and/or respond to requests made by data subjects pursuant to Data Protection Laws;
17.4.10 from time to time on request provide details of its Processing activities in respect of the Personal Data, including the address of all locations where such Processing takes place, and allow its data processing facilities, procedures and documentation which relate to the Processing of the Personal Data to be inspected (on reasonable written notice during its normal business hours and subject to any reasonable requirements or restrictions that the Company may impose to safeguard the personal data it holds on behalf of other clients and/or avoid unreasonable disruption to the Company’s business) by the Licensee, a representative of the Licensee or a regulatory body in order to ascertain compliance with Data Protection Law and the terms of this Agreement; and
17.4.11 on termination of this Agreement return (or, at the Licensee’s discretion, delete) all Data processed on behalf of the Licensee pursuant to this Agreement and delete any copies, save to the extent retention is required by law..
17.5 The Licensee acknowledges that the Company is reliant on the Licensee for direction as to the extent to which the Company is entitled to use and process the Personal Data held by the Licensee. Consequently, the Company shall not be liable for any claim brought by a Data Subject arising from any act, default or omission by the Company, to the extent that such act, default or omission resulted directly from the Licensee’s instructions.
17.6 The Licensee authorises the Company to appoint sub-processors from time to time provided that the Company shall notify the Licensee of any intended changes concerning the addition or replacement of other sub-processors and shall impose upon any sub-processor (and procure any sub-processor’s compliance with) the terms of this clause 17 as if the processing being carried out by the sub-processor was being carried out by the Company (and the Company shall be liable for the acts and omissions of such sub-processors as if they were the Company’s own acts and omissions under this Agreement).
17.7 The Licensee warrants and represents that:
17.7.1 all Personal Data has been lawfully obtained and retained by Licensee (or its nominated third party) and it has the right to allow the Company to process all Personal Data as part of the Services and the rights to license the Company to receive and use the Personal Data it holds, as contemplated by this Agreement; and
17.7.2 all necessary consents and data processing notices have access been provided in relation to the processing of the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the 17.7.3 all such Personal Data to any Subis necessary, accurate and up-Contractors or Affiliates for the provision of the Servicesto-date;
22.2.6 ensure that all Supplier Staff required 17.7.4 it will not do or omit to access do anything which will place the Personal Company in breach of any Data are informed of the confidential nature of the Personal Data and comply Protection Laws;
17.7.5 it will only process personal data in accordance with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations relevant principles under the Data Protection Legislation;Laws; and
22.2.9 provide the Authority with full cooperation and assistance in relation to 17.7.6 any complaint or request made, including by:
(a) providing the Authority with full details processing of the complaint or request;
(b) complying with a data access request within Data by the relevant timescales set out in the Data Protection Legislation and Company in accordance with clause 17.4.1 shall not contravene any Data Protection Laws or infringe the Authority's instructions;rights of the data subject or any third party.
(c) providing 17.8 Without prejudice to any other right or remedy the Authority with Company may have, the Licensee shall indemnify, keep indemnified and hold the Company harmless against all claims, demands, penalties, fines, actions, costs, expenses, losses and damages suffered or incurred by or awarded against the Company arising from or in connection any breach by the Licensee of this clause 17, as a result of the processing the Personal Data it holds in relation to a accordance with clause 17.4.1 and/or any breach of Data Subject (within the timescales required Protection Laws by the Authority; and
(d) providing Licensee whether or not such matters were foreseeable or foreseen at the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those date of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedagreement.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Data Protection. 22.1 17.1. With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 Processor in relation to Authority Personal Data. The Supplier shall:shall (and shall procure that Staff) comply with any notification requirements under the Data Protection Legislation
22.2.1 Process 17.2. Notwithstanding the general obligation in Clause 17.1, where the Supplier is Processing any Authority Personal Data only in accordance with instructions from for the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and shall ensure that it has in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement place appropriate technical and organisational measures to protect ensure the security of the Authority Personal Data (and to guard against unauthorised or unlawful Processing of the Authority Personal Data and against accidental lossloss or destruction of, destructionor damage to, damagethe Authority Personal Data), alteration or disclosure. These measures shall be appropriate as required under the ‘Seventh Data Protection Principle’ in schedule 1 to the harm which might result from Data Protection Xxx 0000 and shall:
17.2.1. provide the Authority with such information as the Authority may reasonably request to satisfy itself that the Supplier is complying with its obligations under the Data Protection Legislation;
17.2.2. promptly notify the Authority of any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature breach of the Personal Data which is security measures to be protectedput in place pursuant to this Clause 17.2;
22.2.4 17.2.3. ensure that it does not knowingly or negligently do or omit to do anything which places the Authority in breach of its obligations under the Data Protection Legislation;
17.2.4. take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Authority Personal Data;
22.2.5 17.2.5. obtain prior Approval from the Authority in order to transfer the Authority Personal Data to any Sub-Contractors or Affiliates Affiliated Company for the provision of the Services;
22.2.6 17.2.6. ensure that all Supplier Staff required to access the Authority Personal Data are informed of the confidential nature of the Authority Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)17;
22.2.7 17.2.7. ensure that none of Supplier’s the Staff publish, disclose or divulge any of the Authority Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 17.2.8. notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Authority Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;; and
22.2.9 17.2.9. provide the Authority with full cooperation and assistance in relation to any complaint or request mademade relating to the Authority Personal Data, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Authority Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;.
22.2.10 17.3. The Supplier shall:
(a) permit the Authority shall not Process or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing otherwise transfer any Personal Data (within the timescales required by the Authority); and
(c) not cause in or permit to be Processed and/or otherwise transferred any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data supplied in or to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer anywhere outside the European Economic Area, the following provisions shall apply:
(a) the Supplier shall propose a variation to comply withthe Authority which, if it is agreed by the Authority, shall be dealt with in accordance with Clause Error! Reference source not found. (Variation Procedure) and Clauses 1.1.1(b) to 1.1.1(d);
(b) the Supplier shall set out in its proposal to the Authority for a Variation, details of the following:
(i) the obligations of a Personal Data Controller under which will be transferred to and/or Processed in or to any Restricted Countries;
(ii) the Eighth Restricted Countries to which the Personal Data Protection Principle set out will be transferred and/or Processed; and
(iii) any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Schedule 1 of Restricted Countries;
(iv) how the Data Protection Act 1998 by providing Supplier will ensure an adequate level of protection to any and adequate safeguards in respect of the Personal Data that is transferredwill be Processed in and/or transferred to Restricted Countries so as to ensure the Authority’s compliance with the DPA;
(c) in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Authority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and
(d) the Supplier shall comply with such other instructions and shall carry out such other actions as the Authority may notify in writing, including:
(i) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and
(ii) procuring that any reasonable instructions notified to it Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into:
(A) a direct data processing agreement with the Authority on such terms as may be required by the Authority; or
(B) a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Authority or Contracting Body concernedand the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority deems necessary for the purpose of protecting Personal Data.
22.2.11 17.4. The Supplier shall use its reasonable endeavours to assist the Authority to comply at all times with any obligations under the Data Protection Legislation DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable the Authority’s obligations under the Data Protection Legislation.DPA to the extent
Appears in 1 contract
Samples: Framework Agreement
Data Protection. 22.1 19.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that for the Authority is purposes of the Data Controller Protection Legislation both the Local Authority and that the Supplier is provider are acting as independent data controllers for the purposes of this agreement and are individually responsible for ensuring they comply with all relevant duties and obligations.
19.2 The provider, where required by legislation, shall be registered under the Data ProcessorProtection Act 2018 (“the 2018 Act”) and shall comply with its obligations under the 2018 Act and the Computer Misuse Act insofar as performance of this Agreement gives rise to the obligations under those Acts.
22.2 The Supplier shall:19.3 Parties will ensure that they do nothing knowingly or negligently which places the other Parties in breach of that Party’s obligations under the 2018 Act.
22.2.1 Process 19.4 Notwithstanding the Personal Data only general obligation in accordance with instructions from Clause 12, where the Service Provider is processing personal data (as defined by the 2018 Act) as a data processor for the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified defined by the Authority to 2018 Act) the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and Service Provider shall ensure that it has in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement place appropriate technical and organisational measures to protect ensure the Personal Data security of the personal data (and to guard against unauthorised or unlawful Processing processing of the personal data and against accidental lossloss or destruction of, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to to, the Personal Data and having regard to the nature personal data), as required under Article 5 of the Personal Data which GDPR and:
19.4.1 Provide the Authority with such information as the Authority may reasonably require to satisfy itself that the Service Provider is complying with its obligations under the 2018 Act;
19.4.2 Promptly notify the Authority of any breach of the security measures required to be protected;put in place pursuant to Clause 19.4; and
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from 19.4.3 Ensure that it does nothing knowingly or negligently which places the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision breach of the Services;Authority’s obligations under the 2018 Act.
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data 21.1 Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's Service Provider’s obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and auditAct 2018, the Supplier's data Processing activities (and/or those of its agents, subsidiaries Service Provider will provide such assistance and Sub-Contractors) and comply with all reasonable requests or directions support which may reasonably be requested from time to time by the Authority to enable for the purposes of enabling or assisting the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
21.1.1 the Freedom of Information Act 2000 and associated Regulations and Statutory Instructions (“FOIA”); and
21.1.2 any code of practice, guidance, practice recommendation, decision, notice, information notice and enforcement notice which may be issued from time to time by the Department of Constitutional Affairs or the Office of the Information Commissioner.
21.2 Without prejudice to Clause 20, and in the event of:
21.2.1 a request made on the Authority for access to information under the FOIA; or
21.2.2 any notice, recommendation or compliant made to the Authority in relation to the FOIA,
21.2.3 the Service Provider will provide to the Authority:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 relation to an access request, any details in respect of the Data Protection Act 1998 by providing an adequate level information as the Authority may request and a copy of protection to any Personal Data that is transferredthe relevant information where the Authority requests such copy; and
(ii) in relation to any reasonable instructions notified to it by notice, recommendation or complaint, any background details, supporting documentation and copy information which the Authority may request in order to deal with such notice, recommendation or Contracting Body concernedcomplaint
(iii) within 10 Working Days of the date of the request from the Authority.
22.2.11 The Supplier shall comply 21.3 In the event that the Service Provider receives directly:
21.3.1 a request for information under the FOIA; and/or
21.3.2 any notice, recommendation or compliant in relation to a matter for which the Authority is legally responsible under the FOIA
21.3.3 the Service Provider will:
(i) immediately pass such request, notice, recommendation or complaint to the Authority’s Authorised Representative for action at all times the Authority’s sole discretion, along with full background details and any supporting documentation relating to the subject matter of such request, notice, recommendation or complaint; and
(ii) not act or omit to act, including making any representations or entering into any communications with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement relevant third party, in such a way as to cause prejudice the Authority’s position in relation to such request, notice, recommendation or compliant.
21.4 The Service Provider acknowledges that the Authority is obliged under the FOIA to breach disclose information, including information relating to its appointment under this Agreement, to third parties, subject to certain exemptions. The Service Provider further accepts and acknowledges that the decision to disclose information and the application of any of such exemptions under the FOIA will be at the Authority’s sole discretion provided that the Authority shall act reasonably and proportionately in exercising its applicable obligations under the FOIA, by giving such notice as is reasonable in the circumstances and considering whether any exemptions under Section 43 FOIA may apply to protect the Service Provider’s legitimate commercial and trade secrets.
Annexe A - Confirmation of Attendance Privacy notice Disability Access Fund Declaration Is your child eligible and in receipt of Disability Living Allowance (DLA) Yes No If your child is splitting their funded entitlement across two or more providers please nominate the main setting where the local authority should pay the DAF: Declaration SCHEDULE A Commercial Sensitive Data Protection Legislation.B1. The following information relating to the Contract shall be classed as “commercially sensitive” and shall therefore constitute “Data” for the purposes of this Agreement:
1. Any and all information relating to and including, but not limited to data relating to pay, pensions and personnel details of the staff of the Data Controller handled and stored by the Data Processor
2. Any and all information relating to and including, but not limited to data relating to pay, pensions and personnel details of the staff of the Data Controller handled and stored by the Data Processor
3. Information as mentioned in sections B1 and B2 above
Appears in 1 contract
Samples: Early Education Provider Agreement
Data Protection. 22.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Supplier Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates Affiliated Company for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)22;
22.2.7 ensure that none of Supplier’s Supplier‟s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Authority‟s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Samples: Courier Services Framework Agreement
Data Protection. 22.1 With respect 17.1 The Contractor‟s attention is hereby drawn to the Parties' rights Data Protection requirements. LSIS and the Contractor shall observe their obligations under the Data Protection requirements.
17.2 Where the Contractor, pursuant to its obligations under this Framework AgreementContract, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier processes personal data on behalf of LSIS, it shall:
22.2.1 Process 17.2.1 process the Personal Data personal data only in accordance with instructions from the Authority LSIS (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement Contract or as otherwise notified by the Authority LSIS to the Supplier Contractor during the Termcontract);
22.2.2 Process 17.2.2 process the Personal Data personal data only to the extent, and in such manner, as it is necessary for the provision of the Services Service(s) or as is required by Law or any Regulatory Body;regulatory body
22.2.3 17.2.3 implement appropriate technical and organisational measures to protect the Personal Data personal data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processingprocessing, accidental loss, destruction or damage to the Personal Data personal data and having regard to the nature of the Personal Data personal data which is to be protected;
22.2.4 17.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff Contractor personnel who have access to the Personal Data;personal data
22.2.5 17.2.5 obtain prior Approval written consent from the Authority LSIS in order to transfer the Personal Data personal data to any Subsub-Contractors or Affiliates for the provision of the Services;Service(s)
22.2.6 17.2.6 ensure that all Supplier Staff any Contractor personnel required to access the Personal Data personal data are informed of the confidential nature of the Personal Data personal data and comply with the obligations set out in this Clause 22 (Data Protection);Condition
22.2.7 17.2.7 ensure that none of Supplier’s Staff the Contractor personnel publish, disclose or divulge any of the Personal Data personal data to any third party unless directed in writing to do so by the Authority;LSIS
22.2.8 17.2.8 notify the Authority LSIS (within five (55 working days) Working Days if it receives:
(a) 17.2.8.1 a request from a Data Subject data subject to have access to that person's Personal Data; orperson‟s personal data
(b) 17.2.8.2 a complaint or request relating to the Authority's LSIS‟s obligations under the Data Protection Legislation;requirements
22.2.9 17.2.9 provide the Authority LSIS with full cooperation and assistance in relation to any complaint or request made, including by:
(a) 17.2.9.1 providing the Authority LSIS with full details of the complaint or request;
(b) 17.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation requirements and in accordance with the Authority's instructions;LSIS‟s instruction
(c) 17.2.9.3 providing the Authority LSIS with any Personal Data personal data it holds in relation to a Data Subject data subject (within the timescales required by the Authority; andLSIS)
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) 17.2.10 permit the Authority LSIS or the Authority’s Representative its representatives (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, audit the Supplier's Contractor‟s data Processing processing activities (and/or those of its agents, subsidiaries and Subsub-Contractors) and comply with all reasonable requests or directions by the Authority LSIS to enable the Authority it to verify and/or procure that the Supplier Contractor is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.Contract
Appears in 1 contract
Data Protection. 22.1 With respect 16.1 The SERVICE PROVIDER’s attention is hereby drawn to the Parties' rights Data Protection Requirements. The CUSTOMER and the SERVICE PROVIDER shall observe their obligations under the Data Protection Requirements.
16.2 Where the SERVICE PROVIDER, pursuant to its obligations under this Framework AgreementContract, processes Personal Data on behalf of the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier CUSTOMER, it shall:
22.2.1 Process 16.2.1 process the Personal Data only in accordance with instructions from the Authority CUSTOMER (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement Contract or as otherwise notified by the Authority CUSTOMER to the Supplier SERVICE PROVIDER during the Term);
22.2.2 Process 16.2.2 process the Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Ordered Services or as is required by Law or any Regulatory Body;
22.2.3 16.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 16.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff SERVICE PROVIDER personnel who have access to the Personal Data;
22.2.5 16.2.5 obtain prior Approval written consent from the Authority CUSTOMER in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Ordered Services;
22.2.6 16.2.6 ensure that all Supplier Staff any SERVICE PROVIDER personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)16;
22.2.7 16.2.7 ensure that none of Supplier’s Staff the SERVICE PROVIDER personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCUSTOMER;
22.2.8 16.2.8 notify the Authority CUSTOMER (within five (5) Working Days Days) if it receives:
(a) 16.2.8.1 a request from a Data Subject data subject to have access to that person's ’s Personal Data; or
(b) 16.2.8.2 a complaint or request relating to the Authority's CUSTOMER’s obligations under the Data Protection LegislationRequirements;
22.2.9 16.2.9 provide the Authority CUSTOMER with full cooperation and assistance in relation to any complaint or request made, including by:
(a) 16.2.9.1 providing the Authority CUSTOMER with full details of the complaint or request;
(b) 16.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation Requirements and in accordance with the Authority's CUSTOMER’s instructions;
(c) 16.2.9.3 providing the Authority CUSTOMER with any Personal Data it holds in relation to a Data Subject data subject (within the timescales required by the AuthorityCUSTOMER); and
(d) 16.2.9.4 providing the Authority CUSTOMER with any information requested by the AuthorityCUSTOMER;
22.2.10 The Supplier shall:
(a) 16.2.10 permit the Authority CUSTOMER or the Authority’s Representative its representatives (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, audit the Supplier's SERVICE PROVIDER’s data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority CUSTOMER to enable the Authority CUSTOMER to verify and/or procure that the Supplier SERVICE PROVIDER is in full compliance with its obligations under this Framework AgreementContract;
(b) 16.2.11 provide a written description of the technical and organisational methods employed by the Supplier SERVICE PROVIDER for Processing processing Personal Data (within the timescales required by the AuthorityCUSTOMER); and
(c) 16.2.12 not cause or permit to be Processed and/or otherwise transferred process Personal Data outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned CUSTOMER and, where the Authority or Other Contracting Body concerned CUSTOMER consents to Processing and/or transfer outside the European Economic Areaa transfer, to comply with:
(i) 16.2.12.1 the obligations of a Data Controller data controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 16.3 The Supplier SERVICE PROVIDER shall comply at all times with the Data Protection Legislation Requirements and shall not perform its obligations under this Framework Agreement Contract in such a way as to cause the Authority CUSTOMER to breach any of its applicable obligations under the Data Protection LegislationRequirements.
16.4 The CUSTOMER may from time to time serve on the SERVICE PROVIDER an information notice requiring the SERVICE PROVIDER within such time and in such form as is specified in the information notice, to furnish to the CUSTOMER such information as the CUSTOMER may reasonably require relating to:
16.4.1 compliance by the SERVICE PROVIDER with the SERVICE PROVIDER’s obligations under this Contract in connection with the processing of Personal Data; and/or
16.5 The SERVICE PROVIDER will allow its data processing facilities, procedures and documentation to be submitted for scrutiny by the CUSTOMER or its auditors in order to ascertain compliance with the relevant laws of the United Kingdom and the terms of this Contract.
16.6 With respect to the parties’ rights and obligations under this Contract, the parties acknowledge that, except where otherwise agreed, the CUSTOMER is the data controller and the SERVICE PROVIDER is the data processor. Where the SERVICE PROVIDER wishes to appoint, in accordance with the provisions of Clause 29, a Sub-Contractor to assist it in providing the Ordered Services and such assistance includes the processing of Personal Data on behalf of theCustomer, then, subject always to compliance by the SERVICE PROVIDER with the provisions of Clause 29 relating to the appointment of Sub-Contractors, the CUSTOMER hereby grants to the SERVICE PROVIDER a delegated authority to appoint on the CUSTOMER’S behalf such Sub-Contractor to process Personal Data provided that the SERVICE PROVIDER shall notify the CUSTOMER in writing of such appointment and the identity and location of such Sub-Contractor. The SERVICE PROVIDER warrants that such appointment shall be on substantially the same terms with respect to Data Protection Requirements as are set out in this Framework Agreement, including the terms set out in Clause 16.
Appears in 1 contract
Samples: Framework Agreement
Data Protection. 22.1 With respect 14.1 Where applicable and subject to the Parties' rights and obligations under this Framework Agreementclause 14.7, the Parties agree that the Authority Client is the "Data Controller Controller" and that the Supplier is the Data "Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance " with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority respect to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation provided to Supplier by Client.
14.2 As a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Processor, Supplier shall:
(a) permit process any Personal Data in accordance with the Authority instructions of Client, the Data Protection Legislation and / or the Authority’s Representative (subject to the reasonable provisions of this Agreement, and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreementfor no other purpose;
(b) provide a written description of the take appropriate technical and organisational methods employed by the Supplier for Processing organizational measures to prevent unauthorized or unlawful processing of Personal Data (within the timescales required by the Authority); andData, as well as any accidental damage, loss or destruction thereof;
(c) take all reasonable steps to ensure that all Supplier (and its Affiliates) Representatives who access, or process Personal Data are required to maintain confidentiality;
(d) Except as provided in Section 14.5 of these Terms and Conditions, Supplier will not cause or permit to be Processed and/or otherwise transferred transfer any Personal Data outside the European Economic Area any Personal Data supplied to unless it by the Authority or any Other Contracting Body without has obtained the prior written consent of from Client, and that the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply withfollowing conditions are met:
(i) Supplier has provided appropriate precautions regarding this transfer;
(ii) the data subject has enforceable rights and effective legal remedies;
(iii) Supplier complies with its obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 Legislation by providing an adequate level of protection to any for all Personal Data that is transferred; and
(iiiv) any comply with all reasonable instructions regarding the processing of Personal Data, which Client has notified to it by the Authority or Contracting Body concerned.in advance;
22.2.11 The Supplier shall comply (e) assist Client, at all times Client's expense, to respond to any requests from a data subject and to assist Client in complying with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable his / her obligations under the Data Protection Legislation, in the field of security, notification of infringements, impact assessment and consultations with supervisory or regulatory authorities;
(f) notify Client as soon as possible of any violation of Personal Data that it becomes aware of;
(g) Upon Client's written directive, Supplier will delete or return Personal Data, as well as their copies, upon termination of the Agreement, unless a law in force requires them to store the Personal Data; and
(h) maintain complete and accurate records and information to demonstrate compliance with clause 14.2.
14.3 Client shall:
(a) process Personal Data in accordance with the provisions of the Data Protection Legislation;
(b) ensure that the processing of the Personal Data of such individuals is in accordance with any applicable privacy policy; and
(c) provide Supplier with the assistance reasonably required by Supplier to comply with its obligations under this clause 14.
14.4 Client will not use the Services:
(a) to send commercial, or marketing e-mails or unwanted invitations;
(b) to request particular categories of Personal Data from the data subjects and / or disclose them to third parties;
(c) to request, collect, store and / or disclose credit or social security card numbers of Respondents or violate one or more Data Protection Legislation;
(d) to communicate any message or document deemed offensive, abusive, harassing, threatening, indecent, obscene, racially, ethnically or otherwise, hateful, deviant, defamatory, slanderous or otherwise unlawful;
(e) in a manner constituting a violation of any Intellectual Property Rights of a third party;
(f) in any way constituting a violation of any applicable laws, rules or regulations, including, but not limited to, any Data Protection Legislation; or
(g) in a manner constituting or encouraging conduct that is considered to be a crime or a civil offense by law and regulation in force.
14.5 Client consents to the transfer of Personal Data to the Group Company Toluna USA, Inc. ("Toluna USA") for hosting and backup purposes. Toluna USA acknowledges that the European Union has strict safeguards regarding the processing of Personal Data within the EU, including obligations to provide adequate protection for Personal Data transferred outside the EU. To provide adequate protection for certain Personal Data concerning individuals within the EU (including our business customers, suppliers, business partners, job applicants and employees in the United States). Toluna USA has chosen to certify its own membership of the EU-US Privacy Shield Framework administered by the US Department of Commerce ("Data Protection Shield"). Toluna USA is responsible for the processing of Personal Data it receives, in accordance with the Data Protection Shield, and then transfers it to a third party acting as agent for its own account. Toluna USA adheres to the principles of the Data Protection Shield: notification, choice, responsibility for the subsequent transfer, security, integrity and limitation to a specific purpose of the Personal Data, access, remedy, application and liability.
14.6 The Parties shall comply with Appendix 1 where Supplier shares Personal Data for Services titled ‘Xxxxxx Interactive Pop-Up Communities’, ‘Toluna Quick Communities’ or Services relating to Digital Tracking under clause 20.
Appears in 1 contract
Samples: Terms and Conditions
Data Protection. 22.1 27.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 27.2 The Supplier shall:
22.2.1 Process 27.2.1 process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process 27.2.2 process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Available Services or as is required by Law or any Regulatory Body;
22.2.3 27.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 27.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Supplier Staff who have access to the Personal Data;
22.2.5 27.2.5 obtain prior Approval written consent from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Available Services;
22.2.6 27.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)27;
22.2.7 27.2.7 ensure that none of Supplier’s Supplier Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 27.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 27.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) 27.2.10 permit the Authority or the Authority’s Authority Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Samples: Framework Agreement
