Common use of INFORMATION AND DATA PROTECTION Clause in Contracts

INFORMATION AND DATA PROTECTION. 17.1 Guru Technology and the Client may be given access to Confidential Information from the other party in order to perform its obligations under this Agreement. 17.2 Each Party will keep in strict confidence all technical or commercial know-how, specifications, inventions, processes or initiatives which are of a confidential nature and any other confidential information, whether written or oral, concerning the other party’s business 17.2.1.1 their employees, contractors or professional advisers who shall require the information in order for the Client or Guru Technology to fulfill its obligations under the Agreement; or 17.2.1.2 in the case of the Client, its users to the extent that they are required to use or access the Service. 17.3 Information shall not be treated as confidential if it is: 17.3.1.1 lawfully in the public domain; 17.3.1.2 lawfully in the possession of the Client or Guru Technology before disclosure from the other has taken place; 17.3.1.3 obtained from a third person who is entitled to disclose it; or 17.3.1.4 replicated independently by someone without access or knowledge of the information. 17.4 If the Client receives a request under the Freedom of Information Xxx 0000 which encompasses any information provided to the Client by Guru Technology in connection with the Contract the Client will notify Guru Technology immediately of the request and give Guru Technology at least ten Business Days to make representations before releasing the requested information (save to the extent otherwise required by law). Data Protection Data Protection Legislation Data Subject GDPR Personal Data Breach Processor 17.5 This clause only applies to the extent that Guru Technology is Processing Personal Data on behalf of the Client. 17.6 Both Parties will comply with all applicable requirements of the Data Protection Legislation. 17.7 The Parties acknowledge that for the purposes of the Data Protection Legislation, Client is the Controller and Guru Technology is the Processor. 17.8 The Privacy & Data Policy sets out the scope, nature and purpose of Processing by Guru Technology, the duration of the Processing, the types of Personal Data and the categories of Data Subject. 17.9 Without prejudice to the generality of Clause 17.6 17.9.1 Client will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to Guru Technology for the purposes of these Terms; and 17.9.2 Guru Technology will: 17.9.2.1 Process Personal Data only on the written instructions of Client, including regarding transfers of Personal Data outside of the European Economic Area, unless Guru Technology is required to do so by a legal obligation and, if so Guru Technology will notify Client of this before such Processing, unless a legal obligation prohibits this; 17.9.2.2 ensure that all personnel authorised by Guru Technology to Process Personal Data are obliged to keep the Personal Data confidential; 17.9.2.3 ensure that it has in place appropriate technical and organisational measures designed to protect against a Personal Data Breach, appropriate to the harm that might result from such Personal Data Breach and the nature of the Personal Data to be protected Guru Technology shall have regard to the state of technological development and the cost of implementing any measures, including, where appropriate: (A) pseudonymising and encrypting Personal Data; (B) ensuring confidentiality, integrity, availability and resilience of its systems and services; (C) ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident; and (D) regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it; 17.9.2.4 notify Client without undue delay if it becomes aware of a Personal Data Breach; 17.9.2.5 assist Client in responding to any requests from Data Subjects and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators, save that if this is not within the reasonable remit of the Services, this will be at Client’s cost; 17.9.2.6 at Client’s written direction, delete (or put Beyond Use) or return Personal Data to Client once provision of the Services has ceased, unless required by a legal obligation tostore the Personal Data; and 17.9.2.7 maintain records and information to demonstrate it compliance with this clause 10 and, where this is not sufficient, allow for audits by Client or Client’s auditor solely to demonstrate compliance, at Client’s cost, provided that the Client : (A) will not exercise its audit rights more than once in any three (3) year period, save where Client reasonably believes that a further audit is required due to Personal Data Breach; (B) gives at least thirty (30) days’ written notice of its intention to audit, including specific details on the scope of the audit and any required evidence; (C) conducts its audit during normal business hours and limits it audit to a maximum of 2 Business Days; and (D) takes all reasonable measures to prevent material business interruption to Guru Technology 18 CHANGES TO THE CONDITIONS, SERVICE SPECIFIC CONDITIONS AND CONTRACT 18.1 Guru Technology may change the Conditions and/or Service Specific Conditions and/or policies at any time and will publish any change in line with condition 18.2.

INFORMATION AND DATA PROTECTION. 17.1 Guru Technology and the Client may be given access to Confidential Information from the other party in order to perform its obligations under this Agreement. 17.2 Each Party will keep in strict confidence all technical or commercial know-how, specifications, inventions, processes or initiatives which are of a confidential nature and any other confidential information, whether written or oral, concerning the other party’s 's business 17.2.1.1 their employees, contractors or professional advisers who shall require the information in order for the Client or Guru Technology to fulfill fulfil I its obligations under the Agreement; or 17.2.1.2 in the case of the Client, its users to the extent that they are required to use or access the Service. 17.3 Information shall not be treated as confidential if it is: 17.3.1.1 lawfully in the public domain; 17.3.1.2 lawfully in the possession of the Client or Guru Technology before disclosure from the other has taken place; 17.3.1.3 obtained from a third person who is entitled to disclose it; or 17.3.1.4 replicated independently by someone without access or knowledge of the information. 17.4 If the Client receives a request under the Freedom of Information Xxx 0000 which encompasses any information provided to the Client by Guru Technology in connection with the Contract the Client will notify Guru Technology immediately of the request and give Guru Technology at least ten Business Days to make representations before releasing the requested information (save to the extent otherwise required by law). Data Protection Data Protection Legislation Data Subject GDPR Personal Data Breach "Process" Processor 17.5 This clause only applies to the extent that Guru Technology is Processing Personal Data on behalf of the Client. 17.6 Both Parties will comply with all applicable requirements of the Data Protection Legislation. 17.7 The Parties acknowledge that for the purposes of the Data Protection Legislation, Client is the Controller and Guru Technology is the Processor. 17.8 The Privacy & Data Policy sets out the scope, nature and purpose of Processing by Guru Technology, the duration of the Processing, the types of Personal Data and the categories of Data Subject. 17.9 Without prejudice to the generality of Clause 17.6 17.9.1 Client will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to Guru Technology for the purposes of these Terms; and 17.9.2 Guru Technology will: 17.9.2.1 Process Personal Data only on the written instructions of Client, including regarding transfers of Personal Data outside of the European Economic Area, unless Guru Technology is required to do so by a legal obligation and, if so Guru Technology will notify Client of this before such Processing, unless a legal obligation prohibits this; 17.9.2.2 ensure that all personnel authorised by Guru Technology to Process Personal Data are obliged to keep the Personal Data confidential; 17.9.2.3 ensure that it has in place appropriate technical and organisational measures designed to protect against a Personal Data Breach, appropriate to the harm that might result from such Personal Data Breach and the nature of the Personal Data to be protected Guru Technology shall have regard to the state of technological development and the cost of implementing any measures, including, where appropriate: (A) } pseudonymising and encrypting Personal Data; (B) } ensuring confidentiality, integrity, availability and resilience of its systems and services; (C) } ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident; and (D) } regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it; 17.9.2.4 notify Client without undue delay if it becomes aware of a Personal Data Breach; 17.9.2.5 assist Client in responding to any requests from Data Subjects and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators, save that if this is not within the reasonable remit of the Services, this will be at Client’s 's cost; 17.9.2.6 at Client’s 's written direction, delete (or put Beyond Use) } or return Personal Data to Client once provision of the Services has ceased, unless required by a legal obligation tostore the Personal Data; and 17.9.2.7 maintain records and information to demonstrate it compliance with this clause 10 and, where this is not sufficient, allow for audits by Client or Client’s 's auditor solely to demonstrate compliance, at Client’s 's cost, provided that the Client : Client: (A) } will not exercise its audit rights more than once in any three (3) year period, save where Client reasonably believes that a further audit is required due to Personal Data Breach; (B) gives at least thirty (30) days’ written notice of its intention to audit, including specific details on the scope of the audit and any required evidence; (C) conducts its audit during normal business hours and limits it audit to a maximum of 2 Business Days; and (D) takes all reasonable measures to prevent material business interruption to Guru Technology 18 CHANGES TO THE CONDITIONS, SERVICE SPECIFIC CONDITIONS AND CONTRACT 18.1 Guru Technology may change the Conditions and/or Service Specific Conditions and/or policies at any time and will publish any change in line with condition 18.2.