OBLIGATIONS OF DATA PROCESSOR. 3.1 The Parties agree that the subject-matter and duration of Processing performed by Data Processor under this DPA, including the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Exhibit A of this DPA and in the Master Subscription Agreement. 3.2 As part of Data Processor providing the Service to Data Controller under the Master Subscription Agreement, Data Processor shall comply with the obligations imposed upon it under Article 28-32 of the GDPR and agrees and declares as follows: (i) to process Personal Data in accordance with Data Controller's documented instructions as set out in the Master Subscription Agreement and this DPA with regard to transfers of personal data to a third country or an international organisation in accordance with Article 28 (3) (a) of the GDPR, unless required to do otherwise by Union or Member State Law to which the Data Processor is subject, or as otherwise necessary to provide the Service. In any such case, Data Processor shall inform Data Controller of that legal requirement DocuSign Envelope ID: 393F4E8C-D8A6-4D91-AF12-8AF7DF78F934 upon becoming aware of the same (except where prohibited by applicable laws); (ii) to ensure that all staff and management of any member of the Processor Group are fully aware of their responsibilities to protect Personal Data in accordance with this DPA and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in accordance with Article 28 (3) (b) of the GDPR; (iii) to implement and maintain appropriate technical and organizational measures to protect Personal Data in accordance with Article 32 of the GDPR against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (a "Data Security Breach"), provided that such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the Processing and the nature of the Data to be protected, including: (a) data security controls in accordance with ISO 27001 standards or such other alternative standards that are substantially equivalent to ISO 27001 as it pertains to the Zendesk Services that are included within the scope of said Report (as defined in Section 5); and (b) data security controls achieve prevailing industry standards (including, without limitation, Service Organization Controls No. 2 (SOC2) in accordance with auditing standards in the Statements on Standards for Attestation Engagements No. 16 (SSAE16)) or such other alternative standards that are substantially equivalent to ISO 27001 as it pertains to the Zendesk Services that are included within the scope of said Report. (iv) to notify Data Controller in accordance with Article 33 (2) of the GDPR, without undue delay but in any event within forty-eight (48) hours, in the event of a confirmed Data Security Breach affecting Data Controller’s Personal Data and to cooperate with Data Controller as necessary to mitigate or remediate the Data Security Breach. Further, Data Processor shall cooperate with Data Controller and take such commercially reasonable steps as are directed by the Data Controller to assist in the investigation, mitigation and remediation of any such Data Security Breach under the Applicable Data Protection Law; (v) to comply with the requirements of Section 4 (Use of Sub-processors) when engaging a Sub-processor; (vi) taking into account the nature of the Processing, shall assist Data Controller (including by appropriate technical and organizational measures), insofar as it is commercially reasonable, to fulfil Data Controller’s obligation to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law (a “Data Subject Request”). In the event Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Data Controller in the first instance. However, in the event Data Controller is unable to address the Data Subject Request, taking into account the nature of the Processing and the information available to Data Processor, Data Processor, shall, on Data Controller’s request and at Data Controller’s reasonable expense (scoped prior to Data Processor’s response to the Data Subject Request), address the Data Subject Request, as required under the Applicable Data Protection Law; (vii) upon request, to provide Data Controller with commercially reasonable information and assistance, taking into account the nature of the Processing and the information available to Data Processor, to help Data Controller to conduct any data protection impact assessment or Supervisor consultation it is required to conduct under Applicable Data Protection Law; (viii) upon termination of Data Controller’s access to and use of the Service, to comply with the requirements of Section 8 of this DPA (Return and Destruction of Personal Data); (ix) to comply with the requirements of Section 5 of this DPA (Audit) in order to make available to Data Controller information that demonstrates Data Processor’s compliance with this DPA; and (x) to appoint a security officer who will act as a point of contact for Data Controller, and coordinate and control compliance with this DPA, including the measures detailed in Exhibits B-1 and B-2 to this DPA, as applicable. DocuSign Envelope ID: 393F4E8C-D8A6-4D91-AF12-8AF7DF78F934 3.3 Data Processor shall immediately inform Data Controller if, in its opinion, Data Controller’s Processing instructions infringe any law or regulation. In such event, Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulation.
Appears in 2 contracts
Samples: Data Processing Agreement, Data Processing Agreement
OBLIGATIONS OF DATA PROCESSOR. 3.1 The Parties agree that the subject-matter and duration of Processing performed by Data Processor under this DPA, including the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Exhibit A of this DPA and in the Master Subscription AgreementDPA.
3.2 As part of Data Processor providing the Service to Data Controller under the Master Subscription AgreementMSA, Data Processor shall comply with the obligations imposed upon it under Article 28-32 of the GDPR and agrees and declares as follows:
(i) to process Personal Data in accordance with Data Controller's documented instructions as set out in the Master Subscription Agreement MSA and this DPA DPA, also with regard to transfers of personal data to a third country or an international organisation in accordance with Article 28 (3) (a) of the GDPR, unless required to do otherwise by Union or Member State Law to which the Data Processor is subject, or as otherwise necessary to provide the Service. In any such case, Data Processor shall inform DocuSign Envelope ID: 507F7CDB-79B1-4F17-9DE5-4DFAF9265338 Data Controller of that legal requirement DocuSign Envelope ID: 393F4E8C-D8A6-4D91-AF12-8AF7DF78F934 upon becoming aware of the same (except where prohibited by applicable laws);
(ii) to ensure that all staff and management of any member of the Processor Group are fully aware of their responsibilities to protect Personal Data in accordance with this DPA and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in accordance with Article 28 (3) (b) of the GDPR;
(iii) to implement and maintain appropriate technical and organizational measures to protect Personal Data in accordance with Article 32 of the GDPR against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (a "Data Security Breach"), provided that such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented presented by the Processing and the nature of the Personal Data to be protected, including:
(a) data security controls in accordance with ISO 27001 standards or such other alternative standards that are substantially equivalent to ISO 27001 as it pertains to the Zendesk Services that are included within the scope of said Report (as defined in Section 5); and
(b) data security controls achieve prevailing industry standards (including, without limitation, Service Organization Controls No. 2 (SOC2) in accordance with auditing attestation standards in established by the Statements on Standards for Attestation Engagements No. 16 American Institute of Certified Public Accountants (SSAE16)AICPA) or such other alternative standards that are substantially equivalent to ISO 27001 as it pertains to the Zendesk Services that are included within the scope of said Report.
(iv) to notify Data Controller in accordance with Article 33 (2) of the GDPR, without undue delay but in any event within forty-eight (48) hours, in the event of a confirmed Data Security Breach affecting Data Controller’s Personal Data and to cooperate with Data Controller as necessary to mitigate or remediate the Data Security Breach. Further, Data Processor shall cooperate with Data Controller and take such commercially reasonable steps as are directed by the Data Controller to assist in the investigation, mitigation and remediation of any such Data Security Breach under the Applicable Data Protection Law;
(v) to comply with the requirements of Section 4 (Use of Sub-processors) when engaging a Sub-processor;
(vi) taking into account the nature of the Processing, shall assist Data Controller (including by appropriate technical and organizational measures), insofar as it is commercially reasonable, to fulfil Data Controller’s obligation to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law (a “Data Subject Request”). In the event that Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Data Controller in the first instance. However, in the event Data Controller is unable to address the Data Subject Request, taking into account the nature of the Processing and the information available to Data Processor, Data Processor, shall, on Data Controller’s request and at Data Controller’s reasonable expense (scoped prior to Data Processor’s response to the Data Subject Request), address the Data Subject Request, as required under the Applicable Data Protection Law;
(vii) upon request, to provide Data Controller with commercially reasonable information and assistance, taking into account the nature of the Processing and the information available to Data Processor, to help Data Controller to conduct any data protection impact assessment or Supervisor consultation it is required to conduct under Applicable Data Protection Law;
(viii) upon termination of Data Controller’s access to and use of the Service, to comply with the requirements of Section 8 of this DPA (Return and Destruction of Personal Data);
(ix) to comply with the requirements of Section 5 of this DPA (Audit) in order to make available to Data Controller information that demonstrates Data Processor’s compliance with this DPA; and
(x) to appoint a security officer who will act as a point of contact for Data Controller, and coordinate and control compliance with this DPA, including the measures detailed in Exhibits B-1 and B-2 to this DPA, as applicable. DocuSign Envelope ID: 393F4E8C507F7CDB-79B1-D8A64F17-4D919DE5-AF12-8AF7DF78F9344DFAF9265338
3.3 Data Processor shall immediately inform Data Controller if, in its opinion, Data Controller’s Processing instructions infringe any law or regulation. In such event, Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulation.
Appears in 1 contract
Samples: Data Processing Agreement
OBLIGATIONS OF DATA PROCESSOR. 3.1 The Parties agree that the subject-matter and duration of Processing performed by 3.1. When acting as a Data Processor under this DPAin relation to Personal Data provided by Goodlord Agent acting as a Data Controller, including the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Exhibit A of this DPA and in the Master Subscription Agreement.
3.2 As part of Data Processor providing the Service to Data Controller under the Master Subscription Agreement, Data Processor shall comply with the obligations imposed upon it under Article 28-32 of the GDPR and agrees and declares as followsGoodlord shall:
(i) to process 3.1.1. not Process the Personal Data or disclose Personal Data other than in accordance with the Data Controller's ’s documented instructions as set out in the Master Subscription Agreement and this DPA with regard to transfers of personal data to a third country or an international organisation in accordance with Article 28 (3) (a) of the GDPRinstructions, unless required to do otherwise by Union EU or Member State Law member state law to which the Data Processor is subject;
3.1.2. not authorise any sub-contractor to Process the Personal Data (“sub-processor”) other than with the prior written consent of the Data Controller, or as otherwise necessary such consent to provide be subject to the Service. In any such case, Data Processor shall inform meeting the conditions set out in all Data Controller of that legal requirement DocuSign Envelope ID: 393F4E8C-D8A6-4D91-AF12-8AF7DF78F934 upon becoming aware of the same (except where prohibited by applicable laws);
(ii) to ensure that all staff and management of any member of the Processor Group are fully aware of their responsibilities to protect Personal Data in accordance with this DPA and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in accordance with Protection Laws, including without limitation Article 28 (32) and (b4) of the GDPR; for these purposes, Goodlord Agent consents to and authorises the engagement as sub-Processors of Goodlord affiliated companies and the third parties as set out in Schedule 3;
(iii) to 3.1.3. implement and maintain appropriate technical and organizational measures to protect Personal Data in accordance with Article 32 of the GDPR against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (a "Data Security Breach"), provided that such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by risk and take all measures required pursuant to all Data Protection Laws, including without limitation Article 32 GDPR, in relation to the Processing and the nature processing of Personal Data, taking account of the Data to be protected, including:
(a) data security controls in accordance with ISO 27001 standards or such other alternative standards risks that are substantially equivalent presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to ISO 27001 as Personal Data transmitted, stored or otherwise Processed;
3.1.4. take all reasonable steps to ensure the reliability of persons authorised to Process the Personal Data and ensure that they have committed themselves to obligations of confidentiality;
3.1.5. promptly notify the Data Controller if it pertains receives any communication from a Data Subject or Supervisory Authority under the Data Protection Laws in respect of the Personal Data, including requests by a Data Subject to exercise rights in Chapter III of GDPR and assist the Zendesk Services that are included within the scope of said Report (as defined in Section 5); and
(b) data security controls achieve prevailing industry standards (including, without limitation, Service Organization Controls No. 2 (SOC2) in accordance with auditing standards in the Statements on Standards for Attestation Engagements No. 16 (SSAE16)) or such other alternative standards that are substantially equivalent to ISO 27001 as it pertains to the Zendesk Services that are included within the scope of said Report.
(iv) to notify Data Controller in accordance with Article 33 (2) of the GDPR, without undue delay but in any event within forty-eight (48) hours, in the event of a confirmed Data Security Breach affecting Data Controller’s Personal Data and to cooperate with Data Controller as necessary to mitigate or remediate the Data Security Breach. Further, Data Processor shall cooperate with Data Controller and take such commercially reasonable steps as are directed by the Data Controller to assist in the investigation, mitigation and remediation of any such Data Security Breach under the Applicable Data Protection Law;
(v) to comply with the requirements of Section 4 (Use of Sub-processors) when engaging a Sub-processor;
(vi) taking into account the nature of the Processing, shall assist Data Controller (including by appropriate technical and organizational measures), insofar as it is commercially reasonable, to fulfil Data Controller’s obligation to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law (a “Data Subject Request”). In the event Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Data Controller in the first instance. However, in the event Data Controller is unable to address the Data Subject Request, taking into account the nature of the Processing and the information available to Data Processor, Data Processor, shall, on Data Controller’s request and at Data Controller’s reasonable expense (scoped prior to Data Processor’s response to the Data Subject Request), address the Data Subject Request, as required under the Applicable Data Protection Lawthese communications;
(vii) upon request, to provide Data Controller with commercially reasonable information and assistance, taking into account 3.1.6. immediately notify the nature of the Processing and the information available to Data Processor, to help Data Controller to conduct any data protection impact assessment or Supervisor consultation it is required to conduct under Applicable Data Protection Law;
(viii) upon termination of Data Controller’s access to and use of the Service, to comply with the requirements of Section 8 of this DPA (Return and Destruction of Personal Data);
(ix) to comply with the requirements of Section 5 of this DPA (Audit) in order to make available to Data Controller information that demonstrates Data Processor’s compliance with this DPA; and
(x) to appoint a security officer who will act as a point of contact for Data Controller, and coordinate and control compliance with this DPA, including the measures detailed in Exhibits B-1 and B-2 to this DPA, as applicable. DocuSign Envelope ID: 393F4E8C-D8A6-4D91-AF12-8AF7DF78F934
3.3 Data Processor shall immediately inform Data Controller if, in its opinion, Data Controller’s Processing instructions infringe any law upon becoming aware of or regulation. In such event, Data Processor is entitled to refuse Processing of reasonably suspecting a Personal Data that it believes to be in violation of any law or regulation.Breach and shall, unless Section
Appears in 1 contract
Samples: Master Services Agreement
OBLIGATIONS OF DATA PROCESSOR. 3.1 4.1 The Parties agree that the subject-matter and duration of Processing performed by the Data Processor under this DPADPA and the Subscription Agreement, including the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Exhibit A of this DPA and in the Master Subscription AgreementDPA.
3.2 4.2 As part of the Data Processor providing the Service to the Data Controller under the Master Subscription Agreement, Data Processor shall comply with the obligations imposed upon it under Article 28-GDPR Articles 28 - 32 of the GDPR and agrees and declares as follows:
(i1) to The Data Processor shall process Personal Data in accordance with Data Controller's documented the instructions as set out forth in the Master Subscription Agreement and this DPA with regard to transfers of personal data to a third country or an international organisation in accordance with Article 28 DPA;
(32) (a) of the GDPR, unless required to do otherwise by Union or Member State Law to which the Data Processor is subject, or as otherwise necessary to provide the Service. In any such case, Data Processor shall inform Data Controller of that legal requirement DocuSign Envelope ID: 393F4E8C-D8A6-4D91-AF12-8AF7DF78F934 upon becoming aware of the same (except where prohibited by applicable laws);
(ii) to ensure that all staff and management of any member of the Data Processor Group are fully aware of their responsibilities to protect Personal Data in accordance with this DPA and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in accordance with GDPR Article 28 28(3)(b);
(3) (b) of the GDPR;
(iii) to Data Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data in accordance with GDPR Article 32 of the GDPR against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (a "Data Security Breach"), provided that such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the Processing and the nature of the Personal Data to be protected, including:including data security consistent with the Security Standards described in Exhibit B, ,
(a4) data security controls in accordance with ISO 27001 standards or such other alternative standards that are substantially equivalent to ISO 27001 as it pertains to the Zendesk Services that are included within Data Processor shall notify the scope of said Report (as defined in Section 5); and
(b) data security controls achieve prevailing industry standards (including, without limitation, Service Organization Controls No. 2 (SOC2) in accordance with auditing standards in the Statements on Standards for Attestation Engagements No. 16 (SSAE16)) or such other alternative standards that are substantially equivalent to ISO 27001 as it pertains to the Zendesk Services that are included within the scope of said Report.
(iv) to notify Data Controller in accordance with GDPR Article 33 (2) of the GDPR33(2), without undue delay but in any event within forty-eight (48) 48 hours, in the event of a confirmed Data Security Breach affecting the Data Controller’s Personal Service Data and to cooperate with the Data Controller as necessary to mitigate or remediate the Data Security Breach. Further, the Data Processor shall cooperate with the Data Controller and take such commercially reasonable steps as are directed by the Data Controller to assist in the investigation, mitigation and remediation of any such Data Security Breach under the Applicable Data Protection LawGDPR;
(v5) to the Data Processor shall comply with the requirements of Section 4 (Use of Sub-processors) 5 when engaging a Sub-processorProcessor;
(vi6) taking into account the nature of the Processing, the Data Processor shall assist the Data Controller (including by appropriate technical and organizational measures), insofar as it is commercially reasonable, to fulfil Data Controller’s obligation to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law GDPR (a “Data Subject Request”). In the event the Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Data Controller in the first instanceController. However, in the event the Data Controller is unable to address the Data Subject Request, taking into account the nature of the Processing and the information available to the Data ProcessorController, the Data Processor, shall, on the Data Controller’s written request and at the Data Controller’s instruction to the Data Processor, and at the Data Processor’s reasonable expense (scoped prior to the Data Processor’s response to the Data Subject Request), address the Data Subject Request, as required under the Applicable Data Protection LawGDPR;
(vii7) upon request, to the Data Processor shall provide the Data Controller with commercially reasonable information and assistance, taking into account the nature of the Processing and the information available to the Data Processor, to help the Data Controller to conduct any data protection impact assessment or Supervisor Supervisory Authority consultation it is required to conduct under Applicable Data Protection LawGDPR;
(viii) 8) upon termination of the Data Controller’s access to and use of the Service, to the Data Processor shall comply with the requirements of Section 8 of this DPA (Return and Destruction of Personal Data)10;
(ix9) to the Data Processor shall comply with the requirements of Section 5 of this DPA (Audit) 6 in order to make available to the Data Controller information that demonstrates the Data Processor’s compliance with this DPA; and
(x10) to the Data Processor shall appoint a security officer who will act as a point of contact for the Data Controller, and coordinate and control compliance with this DPA, including the measures detailed in Exhibits B-1 and B-2 to this DPA, as applicable. DocuSign Envelope ID: 393F4E8C-D8A6-4D91-AF12-8AF7DF78F934.
3.3 4.3 The Data Processor shall immediately inform the Data Controller if, in its opinion, the Data Controller’s Processing processing instructions infringe any law or regulation. In such event, the Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulation.
Appears in 1 contract
Samples: Data Processing Agreement
OBLIGATIONS OF DATA PROCESSOR. 3.1 4.1 The Parties agree that the subject-matter and duration of Processing performed by Data Processor under this DPA, including the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Exhibit A Appendix 1 of this DPA and in the Master Subscription AgreementTerms.
3.2 4.2 As part of Data Processor providing the Service to Data Controller under the Master Subscription AgreementTerms, Data Processor shall comply with the obligations imposed upon it under Article 28-32 of the GDPR and agrees and declares as follows:
(ia) to process Personal Data in accordance with Data Controller's ’s documented instructions as set out in the Master Subscription Agreement Terms and this DPA with regard to transfers of personal data to a third country or an international organisation in accordance with Article 28 (3) (a) of the GDPR, unless required to do otherwise by Union or Member State Law to which the Data Processor is subject, or as otherwise necessary to provide the Service. In any , except where required otherwise by applicable laws (and provided such laws do not conflict with Applicable Data Protection Law); in such case, Data Processor shall inform Data Controller of that legal requirement DocuSign Envelope ID: 393F4E8C-D8A6-4D91-AF12-8AF7DF78F934 upon becoming aware of the same (except where prohibited by applicable laws);
(iib) to ensure that all staff and management of any member of the Processor Group are fully aware of their responsibilities to protect Personal Data in accordance with this DPA and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in accordance with Article 28 (3) (b) of the GDPRconfidentiality;
(iiic) to implement and maintain appropriate technical and organizational measures to protect Personal Data in accordance with Article 32 of the GDPR against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (a "“Data Security Breach"”), provided that such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the Processing and the nature of the Data to be protected, including:;
(a) data security controls in accordance with ISO 27001 standards or such other alternative standards that are substantially equivalent to ISO 27001 as it pertains to the Zendesk Services that are included within the scope of said Report (as defined in Section 5); and
(b) data security controls achieve prevailing industry standards (including, without limitation, Service Organization Controls No. 2 (SOC2) in accordance with auditing standards in the Statements on Standards for Attestation Engagements No. 16 (SSAE16)) or such other alternative standards that are substantially equivalent to ISO 27001 as it pertains to the Zendesk Services that are included within the scope of said Report.
(ivd) to notify Data Controller in accordance with Article 33 (2) of the GDPRController, without undue delay but in any event within forty-eight (48) hoursdelay, in the event of a confirmed Data Security Breach affecting Data Controller’s Personal Service Data and to cooperate with Data Controller as necessary to mitigate or remediate the Data Security Breach. Further, Data Processor shall cooperate with Data Controller and take such commercially reasonable steps as are directed by the Data Controller to assist in the investigation, mitigation and remediation of any such Data Security Breach under the Applicable Data Protection Law;
(ve) to comply with the requirements of Section 4 5 (Use of Sub-processors) when engaging a Sub-processor;
(vif) taking into account the nature of the Processing, shall to assist Data Controller (including by appropriate technical and organizational measures), insofar as it is commercially reasonable, to fulfil Data Controller’s obligation to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law (a “Data Subject Request”). In the event Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Data Controller in the first instance. However, in the event Data Controller is unable to address the Data Subject Request, taking into account the nature of the Processing and the information available to Data Processor, Data Processor, shall, on Data Controller’s request and at Data Controller’s reasonable expense (scoped prior to Data Processor’s response to the Data Subject Request)expense, address the Data Subject Request, as required under the Applicable Data Protection Law;
(viig) upon request, to provide Data Controller with commercially reasonable information and assistance, taking into account the nature of the Processing and the information available to Data Processor, to help Data Controller to conduct any data protection impact assessment or Supervisor consultation it is required to conduct under Applicable Data Protection Law;
(viiih) upon termination of Data Controller’s access to and use of the Service, to comply with the requirements of Section 8 of this DPA 9 (Return and Destruction of Personal Data);
(ixi) to comply with the requirements of Section 5 of this DPA 6 (Audit) in order to make available to Data Controller information that demonstrates Data Processor’s compliance with this DPA; and
(xj) to appoint a security officer who will act as a point of contact for Data Controller, and coordinate and control compliance with this DPA, including the measures detailed in Exhibits B-1 and B-2 Exhibit A to this DPA, as applicable. DocuSign Envelope ID: 393F4E8C-D8A6-4D91-AF12-8AF7DF78F934.
3.3 (k) Data Processor shall immediately inform Data Controller if, in its opinion, Data Controller’s Processing instructions infringe any law or regulation. In such event, Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulation.
Appears in 1 contract
Samples: Terms of Use
OBLIGATIONS OF DATA PROCESSOR. 3.1 4.1 The Parties agree that the subject-matter and duration of Processing performed by Data Processor under this DPAAgreement, including the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Exhibit A of this DPA and in the Master Subscription End User Licence Agreement.
3.2 4.2 As part of Data Processor providing the Service to Data Controller under the Master Subscription End User Licence Agreement, Data Processor shall comply with the obligations imposed upon it under Article 28-32 of the GDPR and agrees and declares as follows:
(i) to process Personal Data in accordance with Data Controller's documented instructions as set out in the Master Subscription this Agreement and this DPA with regard to transfers of personal data to a third country or an international organisation in accordance with Article 28 (3) (a) of the GDPR, unless required to do otherwise by Union or Member State Law to which the Data Processor is subject, or as otherwise necessary to provide the Service. In any , except where required otherwise by applicable laws (and provided such laws do not conflict with Applicable Data Protection Law); in such case, Data Processor shall inform Data Controller of that legal requirement DocuSign Envelope ID: 393F4E8C-D8A6-4D91-AF12-8AF7DF78F934 upon becoming aware of the same (except where prohibited by applicable laws);
(ii) to ensure that all staff and management of any member of the Processor Group are fully aware of their responsibilities to protect Personal Data in accordance with this DPA Agreement and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in accordance with Article 28 (3) (b) of the GDPRconfidentiality;
(iii) to implement and maintain appropriate technical and organizational measures to protect Personal Data in accordance with Article 32 of the GDPR against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (a "Data Security Breach"), provided that such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the Processing and the nature of the Data to be protected, including:
(a) data security controls in accordance with ISO 27001 standards or such other alternative standards that are substantially equivalent to ISO 27001 as it pertains to the Zendesk Services that are included within the scope of said Report (as defined in Section 5); and
(b) data security controls achieve prevailing industry standards (including, without limitation, Service Organization Controls No. 2 (SOC2) in accordance with auditing standards in the Statements on Standards for Attestation Engagements No. 16 (SSAE16)) or such other alternative standards that are substantially equivalent to ISO 27001 as it pertains to the Zendesk Services that are included within the scope of said Report.;
(iv) to notify Data Controller in accordance with Article 33 (2) of the GDPRController, without undue delay but in any event within forty-eight (48) hoursdelay, in the event of a confirmed Data Security Breach affecting Data Controller’s Personal 's Service Data and to cooperate with Data Controller as necessary to mitigate or remediate the Data Security Breach. Further, Data Processor shall cooperate with Data Controller and take such commercially reasonable steps as are directed by the Data Controller to assist in the investigation, mitigation and remediation of any such Data Security Breach under the Applicable Data Protection Law;
(v) to comply with the requirements of Section 4 5 (Use of Sub-processors) when engaging a Sub-Sub- processor;
(vi) taking into account the nature of the Processing, shall to assist Data Controller (including by appropriate technical and organizational measures), insofar as it is commercially reasonable, to fulfil Data Controller’s 's obligation to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law (a “"Data Subject Request”"). In the event Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Data Controller in the first instance. However, in the event Data Controller is unable to address the Data Subject Request, taking into account the nature of the Processing and the information available to Data Processor, Data Processor, shall, on Data Controller’s 's request and at Data Controller’s 's reasonable expense (scoped prior to Data Processor’s response to the Data Subject Request)expense, address the Data Subject Request, as required under the Applicable Data Protection Law;
(vii) upon request, to provide Data Controller with commercially reasonable information and assistance, taking into account the nature of the Processing and the information available to Data Processor, to help Data Controller to conduct any data protection impact assessment or Supervisor consultation it is required to conduct under Applicable Data Protection Law;
(viii) upon termination of Data Controller’s 's access to and use of the Service, to comply with the requirements of Section 8 of this DPA 9 (Return and Destruction of Personal Data);
(ix) to comply with the requirements of Section 5 of this DPA 6 (Audit) in order to make available to Data Controller information that demonstrates Data Processor’s 's compliance with this DPAAgreement; and
(x) to appoint a security officer who will act as a point of contact for Data Controller, and coordinate and control compliance with this DPAAgreement, including the measures detailed in Exhibits B-1 and B-2 Exhibit A to this DPA, as applicable. DocuSign Envelope ID: 393F4E8C-D8A6-4D91-AF12-8AF7DF78F934Agreement.
3.3 4.3 Data Processor shall immediately inform Data Controller if, in its opinion, Data Controller’s 's Processing instructions infringe any law or regulation. In such event, Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulation.
Appears in 1 contract
Samples: Data Processing Agreement
OBLIGATIONS OF DATA PROCESSOR. 3.1 4.1 The Parties agree that the subject-matter and duration of Processing performed by Data Processor under this DPAAgreement, including the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Exhibit A of this DPA and in the Master Subscription End User Licence Agreement.
3.2 4.2 As part of Data Processor providing the Service to Data Controller under the Master Subscription End User Licence Agreement, Data Processor shall comply with the obligations imposed upon it under Article 28-32 of the GDPR and agrees and declares as follows:
(i) to process Personal Data in accordance with Data Controller's documented instructions as set out in the Master Subscription this Agreement and this DPA with regard to transfers of personal data to a third country or an international organisation in accordance with Article 28 (3) (a) of the GDPR, unless required to do otherwise by Union or Member State Law to which the Data Processor is subject, or as otherwise necessary to provide the Service. In any , except where required otherwise by applicable laws (and provided such laws do not conflict with Applicable Data Protection Law); in such case, Data Processor shall inform Data Controller of that legal requirement DocuSign Envelope ID: 393F4E8C-D8A6-4D91-AF12-8AF7DF78F934 upon becoming aware of the same (except where prohibited by applicable laws);
(ii) to ensure that all staff and management of any member of the Processor Group are fully aware of their responsibilities to protect Personal Data in accordance with this DPA Agreement and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in accordance with Article 28 (3) (b) of the GDPRconfidentiality;
(iii) to implement and maintain appropriate technical and organizational measures to protect Personal Data in accordance with Article 32 of the GDPR against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (a "Data Security Breach"), provided that such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the Processing and the nature of the Data to be protected, including:
(a) data security controls in accordance with ISO 27001 standards or such other alternative standards that are substantially equivalent to ISO 27001 as it pertains to the Zendesk Services that are included within the scope of said Report (as defined in Section 5); and
(b) data security controls achieve prevailing industry standards (including, without limitation, Service Organization Controls No. 2 (SOC2) in accordance with auditing standards in the Statements on Standards for Attestation Engagements No. 16 (SSAE16)) or such other alternative standards that are substantially equivalent to ISO 27001 as it pertains to the Zendesk Services that are included within the scope of said Report.;
(iv) to notify Data Controller in accordance with Article 33 (2) of the GDPRController, without undue delay but in any event within forty-eight (48) hoursdelay, in the event of a confirmed Data Security Breach affecting Data Controller’s Personal 's Service Data and to cooperate with Data Controller as necessary to mitigate or remediate the Data Security Breach. Further, Data Processor shall cooperate with Data Controller and take such commercially reasonable steps as are directed by the Data Controller to assist in the investigation, mitigation and remediation of any such Data Security Breach under the Applicable Data Protection Law;
(v) to comply with the requirements of Section 4 5 (Use of Sub-processorsSub•processors) when engaging a Sub-Sub- processor;
(vi) taking into account the nature of the Processing, shall to assist Data Controller (including by appropriate technical and organizational measures), insofar as it is commercially reasonable, to fulfil Data Controller’s 's obligation to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law (a “"Data Subject Request”"). In the event Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Data Controller in the first instance. However, in the event Data Controller is unable to address the Data Subject Request, taking into account the nature of the Processing and the information available to Data Processor, Data Processor, shall, on Data Controller’s 's request and at Data Controller’s 's reasonable expense (scoped prior to Data Processor’s response to the Data Subject Request)expense, address the Data Subject Request, as required under the Applicable Data Protection Law;
(vii) upon request, to provide Data Controller with commercially reasonable information and assistance, taking into account the nature of the Processing and the information available to Data Processor, to help Data Controller to conduct any data protection impact assessment or Supervisor consultation it is required to conduct under Applicable Data Protection Law;
(viii) upon termination of Data Controller’s 's access to and use of the Service, to comply with the requirements of Section 8 of this DPA 9 (Return and Destruction of Personal Data);
(ix) to comply with the requirements of Section 5 of this DPA 6 (Audit) in order to make available to Data Controller information that demonstrates Data Processor’s 's compliance with this DPAAgreement; and
(x) to appoint a security officer who will act as a point of contact for Data Controller, and coordinate and control compliance with this DPAAgreement, including the measures detailed in Exhibits B-1 and B-2 Exhibit A to this DPA, as applicable. DocuSign Envelope ID: 393F4E8C-D8A6-4D91-AF12-8AF7DF78F934Agreement.
3.3 4.3 Data Processor shall immediately inform Data Controller if, in its opinion, Data Controller’s 's Processing instructions infringe any law or regulation. In such event, Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulation.
Appears in 1 contract
Samples: Data Processing Agreement
OBLIGATIONS OF DATA PROCESSOR. 3.1 The Parties agree that the subject-matter and duration of Processing performed by Data Processor under this DPA, including the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Exhibit A of this DPA and in the Master Subscription Agreement.
3.2 As part of Data Processor providing the Service to Data Controller under the Master Subscription Agreement, Data Processor shall comply with the obligations imposed upon it under Article 28-32 of the GDPR and agrees and declares as follows:
(i) to process Personal Data in accordance with Data Controller's documented instructions as set out in the Master Subscription Agreement and this DPA with regard to transfers of personal data to a third country or an international organisation in accordance with Article 28 (3) (a) of the GDPR, unless required to do otherwise by Union or Member State Law to which the Data Processor is subject, or as otherwise necessary to provide the Service. In any such case, Data Processor shall inform Data Controller of that legal requirement DocuSign Envelope ID: 393F4E8C-D8A6-4D91-AF12-8AF7DF78F934 upon becoming aware of the same (except where prohibited by applicable laws);
(ii) to ensure that all staff and management of any member of the Processor Group are fully aware of their responsibilities to protect Personal Data in accordance with this DPA and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in accordance with Article 28 (3) (b) of the GDPR;
(iii) to implement and maintain appropriate technical and organizational measures to protect Personal Data in accordance with Article 32 of the GDPR against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (a "Data Security Breach"), provided that such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the Processing and the nature of the Data to be protected, including:
(a) data security controls in accordance with ISO 27001 standards or such other alternative standards that are substantially equivalent to ISO 27001 as it pertains to the Zendesk Services that are included within the scope of said Report (as defined in Section 5); and
(b) data security controls achieve prevailing industry standards (including, without limitation, Service Organization Controls No. 2 (SOC2) in accordance with auditing standards in the Statements on Standards for Attestation Engagements No. 16 (SSAE16)) or such other alternative standards that are substantially equivalent to ISO 27001 as it pertains to the Zendesk Services that are included within the scope of said Report.
(iv) to notify Data Controller in accordance with Article 33 (2) of the GDPR, without undue delay but in any event within forty-eight (48) hours, in the event of a confirmed Data Security Breach affecting Data Controller’s Personal Data and to cooperate with Data Controller as necessary to mitigate or remediate the Data Security Breach. Further, Data Processor shall cooperate with Data Controller and take such commercially reasonable steps as are directed by the Data Controller to assist in the investigation, mitigation and remediation of any such Data Security Breach under the Applicable Data Protection Law;
(v) to comply with the requirements of Section 4 (Use of Sub-processors) when engaging a Sub-processor;
(vi) taking into account the nature of the Processing, shall assist Data Controller (including by appropriate technical and organizational measures), insofar as it is commercially reasonable, to fulfil Data Controller’s obligation to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law (a “Data Subject Request”). In the event Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Data Controller in the first instance. However, in the event Data Controller is unable to address the Data Subject Request, taking into account the nature of the Processing and the information available to Data Processor, Data Processor, shall, on Data Controller’s request and at Data Controller’s reasonable expense (scoped prior to Data Processor’s response to the Data Subject Request), address the Data Subject Request, as required under the Applicable Data Protection Law;
(vii) upon request, to provide Data Controller with commercially reasonable information and assistance, taking into account the nature of the Processing and the information available to Data Processor, to help Data Controller to conduct any data protection impact assessment or Supervisor consultation it is required to conduct under Applicable Data Protection Law;
(viii) upon termination of Data Controller’s access to and use of the Service, to comply with the requirements of Section 8 of this DPA (Return and Destruction of Personal Data);
(ix) to comply with the requirements of Section 5 of this DPA (Audit) in order to make available to Data Controller information that demonstrates Data Processor’s compliance with this DPA; and
(x) to appoint a security officer who will act as a point of contact for Data Controller, and coordinate and control compliance with this DPA, including the measures detailed in Exhibits B-1 and B-2 to this DPA, as applicable. DocuSign Envelope ID: 393F4E8C-D8A6-4D91-AF12-8AF7DF78F934
3.3 Data Processor shall immediately inform Data Controller if, in its opinion, Data Controller’s Processing instructions infringe any law or regulation. In such event, Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulation.
Appears in 1 contract
Samples: Data Processing Agreement
