Notifications to Controller Sample Clauses
Notifications to Controller. The Processor shall promptly notify the Controller and refer any request to the Controller:
i. if the Processor, or one of its sub-processors, becomes aware of a Personal Data breach. Such notification shall be made immediately by the Processor and no longer than 24 hours from becoming aware of the breach. Information provided to the Controller shall, to the extent such information is available to the Processor, include: (x) a description of the nature of the Personal Data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; (y) a description of the likely consequences of the Personal Data breach; and (z) a description of the measures taken or proposed to be taken by the Processor to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects. In addition, the Processor shall without undue delay inform the Controller of the circumstances giving rise to the Personal Data breach, and any other related information reasonably requested by the Controller and available to the Processor. The Parties may agree on a more detailed breach notification process in separate;
ii. in the event of a legally binding request for disclosure of Personal Data by a law enforcement authority unless prohibited under applicable law;
iii. if a request is received by the Processor from Data Subjects regarding the Processing of their Personal Data, by a supervisory authority or a third party. Unless given prior express instruction by the Controller, or if it is required under mandatory legislation, the Processor may not disclose any Controller’s Personal Data or any information relating to the processing of the Controller’s Personal Data to any third party but should instead refer such third party to the Controller; and iv. if, in the opinion of the Processor, an instruction of the Controller infringes the GDPR or other Union or Member State data protection provisions.