Information Obligations and Incident Management. 9.1 When the Data Processor becomes aware of an incident that impacts the Processing of the Personal Data that is the subject of the Service Agreement, it shall promptly notify the Data Controller about the incident, shall at all times cooperate with the Data Controller, and shall follow the Data Controller’s instructions with regard to such incidents, in order to enable the Data Controller to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident.
9.2 The term “incident” used in Paragraph 9.1 shall be understood to mean in any case:
(a) a complaint or a request with respect to the exercise of a data subject’s rights under EU Data Protection Law;
(b) an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent;
(c) any unauthorized or accidental access, processing, deletion, loss or any form of unlawful processing of the Personal Data;
(d) any breach of the security and/or confidentiality as set out in Paragraphs 5 and 6 of this Addendum leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place;
(e) where, in the opinion of the Data Processor, implementing an instruction received from the Data Controller would violate applicable laws to which the Data Controller or the Data Processor are subject.
9.3 The Data Processor shall at all times have in place written procedures which enable it to promptly respond to the Data Controller about an incident. Where an incident is reasonably likely to require a data breach notification by the Data Controller under the EU Data Protection Law, the Data Processor shall implement its written procedures in such a way that it is in a position to notify the Data Controller no later than 24 hours of having become aware of such an incident.
9.4 Any notifications made to the Data Controller pursuant to this Article shall be addressed to the Data Protection Officer or other employee of the Data Controller whose contact details are provided during the registration process, and shall contain:
(a) a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concer...
Information Obligations and Incident Management. When the Data Processor becomes aware of an Incident that impacts the Processing of the Personal Data that was provided under the Services Agreement, it shall promptly notify the Data Controller about the Incident within 48 hours of its becoming aware of the Incident. The Data Processor shall reasonably cooperate with the Data Controller and shall follow the Data Controller’s reasonable instructions with regard to such Incidents that solely affect Personal Data that was provided to the Data Processor under the Services Agreement in order to enable the Data Controller to perform a thorough investigation into the Incident, to formulate a correct response, and to take suitable further steps in respect of the Incident.
Information Obligations and Incident Management a. The Data Processor shall notify the Data Controller promptly of becoming aware of a personal data breach involving Data Controller Personal Data and provide the Data Controller with information relevant to reasonably assist the Data Controller with its own notification obligations as applicable to Data Controller under EU Data Protection Law which may include the following: (i) a description of the nature of the personal data breach; (ii) the categories and approximate number of data subjects impacted; (iii) a description of the measures taken or proposed to be taken by the Data Processor to address the personal data breach.
Information Obligations and Incident Management. 8.1. When the Operator becomes aware of an incident that has a material impact on the processing of the personal information that is the subject of the agreement between the parties, it shall promptly notify the Responsible Party about the incident, shall at all times cooperate with the Responsible Party, and shall follow the Responsible Party’s instructions with regard to such incidents, in order to enable the Responsible Party to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident.
8.2. The term “incident” used in paragraph 8.1 shall be understood to mean in any case:
(a) a complaint or a request with respect to the exercise of a Data Subject’s rights in terms of POPIA
(b) any unauthorized or accidental access, processing, deletion, loss, or any form of unlawful processing of the personal information
(c) any breach of the security and/or confidentiality as set out in this Data Processing Agreement leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the personal information, or any indication of such breach having taken place or being about to take place
(d) where, in the opinion of the Operator, implementing an instruction received from the Responsible Party would violate applicable laws to which the Responsible Party or the Operator are subject.
8.3. The Operator shall at all times have in place written procedures which enable it to promptly respond to the Responsible Party about an incident. Where the incident is reasonably likely to require a data breach notification by the Responsible Party in terms of the POPIA, the Operator shall implement its written procedures in such a way that it is in a position to notify the Responsible Party without undue delay after the Operator becomes aware of such an incident.
8.4. Any notifications made to the Responsible Party shall be addressed to the employee of the Responsible Party whose contact details are provided in Annexure 1 of this Data Processing Agreement and, in order to assist the Responsible Party in fulfilling its obligations in terms of the POPIA, should contain:
(a) a description of the nature of the incident, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of personal information records concerned
(b) the name and contact details of the Operator’s Information Officer...
Information Obligations and Incident Management. 9.1. The Data Processor shall at all times without undue delay notify the Data Controller of any incident with regard to the processing of the Personal Data, shall at all times cooperate with the Data Controller and shall follow the Data Controllers instructions with regard to such incidents, in order to enable the Data Controller to perform a thorough investigation into the incidents, to formulate a correct response and to take suitable further steps in respect of the incident. Specifically, the Data Processor warrants that it provides the Data Controller with all information necessary to fulfil its legal obligations, such as the obligation to notify incidents as stipulated in article 33 and 34 GDPR.
9.2. The term “incident” used in article 9.2 shall mean in any case:
9.2.1. Any communication of a data subject with regard to their Personal Data;
9.2.2. An investigation into or seizure of the Personal Data by government officials, or any indication that this is about to take place;
9.2.3. Any breach of the security and/or confidentiality as set out in article 32 GDPR or articles 5 and 6 of this Agreement leading to the loss or any form of unlawful processing, including destruction, alteration, unauthorized discloser of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place.
9.3. In case of an incident as described in article 9.2.2 and 9.2.3 the Data Processor notifies the Data Controller within 24 hours after discovery of the incident. Such notification includes:
9.4. the nature of the incident,
9.5. the date and time upon which the incident took place and was discovered;
9.6. the (amount of) data subjects affected by the incident;
9.7. which categories of Personal Data were involved with the incident;
9.8. whether and, if so, which security measures – such as encryption – were taken to render the Personal Data incomprehensible or inaccessible to anyone without the authorization to access these data.
9.9. The Data Processor is not entitled to notify the competent authority, including a notification in accordance with article 33 and 34 GDPR, an incident in which respect the Data Processor qualifies as the Data processor and Data Controller qualifies as the Data controller.
Information Obligations and Incident Management a. SOTI shall notify Customer without undue delay, but no later than 72 hours after becoming aware of a breach of XXXX’s security safeguards leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data (“Breach”).
x. XXXX’x notification of a Breach will describe: the nature of the Breach; the measures SOTI has taken, or plans to take, to address the Breach and mitigate its potential risk; the measures, if any, SOTI recommends that Customer take to address the Breach; and details of a contact point where more information can be obtained. If it is not possible to provide all such information at the same time, SOTI’s initial notification will contain the information then available and further information will be provided without undue delay as it becomes available.
Information Obligations and Incident Management. (a) If Xxxxxx becomes aware of an incident that materially adversely affects the Processing of the Personal Data that is the subject of the Agreement, it shall promptly notify the Customer about the incident, shall provide commercially reasonable cooperation to the Customer, and (to the extent such incident was caused by Xxxxxx’s negligent acts or omissions) shall take commercially reasonable steps designed to remediate the incident, if applicable, to the extent that remediation is within Xxxxxx’s control. The obligations of this Section 16(a) do not apply to incidents that are caused by the Customer, Authorized Users, and/or any products and services other than Nasuni’s.
Information Obligations and Incident Management. 12.1. The operator incident notification. The operator must notify the responsible party after becoming aware of a personal data incident without undue delay, provided that: • the incident has a material impact on personal data processing that is the subject of the principal agreement; • the operator will cooperate with the responsible party at all times; • the operator will follow the responsible party’s instructions regarding the incident; • the operator will let the responsible party perform a thorough investigation into the incident, formulate a correct response and take suitable additional steps in respect of that response.
Information Obligations and Incident Management. 13.1. The operator incident notification. In the event that there is a Personal information breach and/or a POPIA Data Breach, the operator shall notify the Responsible party, as soon as reasonably possible after becoming aware of a personal information incident without undue delay, provided that the incident has a material impact on personal information processing that is the subject of the principal agreement. The operator shall, where applicable, provide the Responsible party with reasonable information in its possession or any other information that will assist the Responsible party to:
13.1.1. notify the relevant Information Regulator in terms of the applicable data protection laws and/or.
13.1.2. to meet any other obligations set out in terms of the applicable data protection laws.
Information Obligations and Incident Management. 7.1. When the Operator becomes aware of an incident that has an impact on the Processing of the Personal Information that is the subject of this DPA, it will notify the Responsible Party as soon as reasonably possible about the incident and will cooperate with the Responsible Party’s reasonable requests in order to enable the Responsible Party to comply with their obligations. Where appropriate, the Operator may charge for these services.
7.2. The term "incident" used in clause 7.1 means:
7.2.1. a complaint or a request with respect to the exercise of a Data Subject’s rights in terms of POPIA;
7.2.2. any unauthorized or accidental access, processing, deletion, loss or any form of unlawful Processing of the Personal Information;
7.2.3. any breach of the security and/or confidentiality as set out in this DPA leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Information, or any indication of such breach having taken place or being about to take place;
7.2.4. where, in the opinion of the Operator, implementing an instruction received from the Responsible Party would violate applicable laws to which the Responsible Party or the Operator are subject.
7.3. The Operator will at all times have in place written procedures which enable it to promptly respond to the Responsible Party about an incident.
7.4. Any notifications made to the Responsible Party will be addressed to the employee of the Responsible Party whose contact details are provided on the Order.
