Obligations of Processor. (a) The Processor shall use commercially reasonable efforts that persons authorized by the Processor to process the personal data on behalf of the Controller, in particular the Processor's employees as well as employees of any Subprocessors, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that such persons who have access to the personal data, process such personal data in compliance with this DPA.
(b) The Processor shall use commercially reasonable efforts to implement and maintain the technical and organizational measures as specified in Annex 1 to this DPA. The Processor may amend the technical and organizational measures from time to time, provided that the amended technical and organizational measures are in overall not less protective as those set out in Exhibit 2. Substantial amendments to the technical and organizational measures shall be notified to the Controller.
(c) The Processor shall use commercially reasonable efforts to make available to the Controller any information necessary to demonstrate compliance with the obligations of Processor laid down in Art. 28 GDPR and in this DPA.
(d) The Processor shall use commercially reasonable efforts to provide an independent third-party audit report upon Controller`s request, where such audit report shall only be requested once per calendar year and at Controller`s costs.
(e) The Processor is obliged to notify the Controller within forty-eight (48) hours: • about any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as by a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; and • about any complaints and requests received directly from a data subject (e.g., regarding access, rectification, erasure, restriction of processing, data portability, objection to processing of data, automated decision-making) without responding to that request, unless the Processor has been otherwise authorized by the Controller to do so, or (ii) in case of a Security breach the Processor is becoming aware of.
(f) The Processor shall use commercially reasonable efforts to assist the Controller with its obligation to carry out a data protection impact assessment as may be required by Art. 35 GDPR and prior consultation as may be required by Art. 36 GDPR that relates to the Services provided by the Processor to the Controller under this DPA...
Obligations of Processor. Processor must process personal data only in accordance with prior arrangements and the instructions of Controller, unless required to otherwise process the data by European Union or Member State law to which Processor is subject (such as investigations by law enforcement or national security agencies); in such a case, Processor must inform the Controller of these legal requirements prior to processing the data, unless the relevant law prohibits such information on important grounds of public interest (Article 28
Obligations of Processor. The Processor shall:
(a) process the Personal Data only as instructed by the Controller and on the Controller's behalf; such instruction is provided in the Services Agreement, this DPA and otherwise in documented form as specified in clause 3 above. Such obligation to follow the Controller's instruction also applies to the transfer of the Personal Data to a Third Country or an International Organization.
(b) inform the Controller promptly if the Processor cannot comply with any instructions from the Controller for whatever reasons;
(c) ensure that persons authorized by the Processor to Process the Personal Data on behalf of the Controller have committed themselves to confidentiality or are under an appropriate obligation of confidentiality and that such persons that have access to the Personal Data Process such Personal Data in compliance with the Controller's instructions.
(d) implement the Technical and Organizational Security Measures which will meet the requirements of the Applicable Data Protection Law as further specified in Annex 4 before Processing of the Personal Data and ensure to provide sufficient guarantees to the Controller on such Technical and Organizational Security Measures.
(e) assist the Controller by appropriate Technical and Organizational Measures, insofar as this is feasible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subjects rights concerning information, access, rectification and erasure, restriction of processing, notification, data portability, objection and automated decision-making. The Processor shall maintain the Technical and Organizational Measures set forth in Annex 4 of this DPA. To to the extent such feasible Technical and Organizational Measures require changes or amendments to the Technical and Organizational Measures specified in Annex 4, the Processor will advise the Controller on the costs to implement such additional or amended Technical and Organizational Measures. Once the Controller has confirmed to bear such costs, the Processor will implement such additional or amended Technical and Organizational Measures to assist the Controller to respond to Data Subject's requests.
(f) make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and in Article 28 GDPR and allow for and contribute to audits, including inspections conducted by the Controller or another auditor mandated by Controller. The...
Obligations of Processor. 5.1 Processor shall ensure that all persons authorised by Processor to process personal data on behalf of Controller, particularly personnel of Processor or any Subprocessor, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.2 Before processing personal data to provide the Services, Processor shall implement the following technical and organisational measures: xxx.xxxxxxxxxx.xxx/xxx-xxxx. Processor may amend the technical and organisational measures from time to time provided that the amended technical and organisational measures are not less protective than those in place as of date that the Parties concluded this DPA.
5.3 Processor shall make available to Controller all information necessary to demonstrate compliance with the obligations in the Applicable Data Protection Law. The Parties agree that this information obligation is met by providing Controller with an audit report upon request. To the extent additional audit activities are required by Applicable Data Protection Law, Controller may request inspections conducted by Controller or another auditor mandated by Controller. An on-site audit must:
(a) be limited to processing facilities and personnel of Processor involved in the processing activities covered by this DPA;
(b) occur no more than once annually or as required by Applicable Data Protection Law or by a competent supervisory authority or immediately after a material personal data breach affecting personal data processed by Processor under this DPA; and
(c) may occur only during regular business hours, after reasonable prior notice, in accordance with Processor's security policies and without substantially disrupting Processor's business operations. Each Party shall bear its own costs arising out of or in connection with the on-site audit at Controller and Processor. Controller shall create an audit report summarising the findings and observations of the on-site audit. All audit reports are confidential information of Processor and shall not be disclosed to third parties unless required by Applicable Data Protection Law or with Processor's consent.
5.4 Processor shall notify Controller without undue delay:
(a) about any legally binding request for disclosure of the personal data by a law enforcement authority, unless otherwise prohibited, such as by a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
(b) if applicable law to whi...
Obligations of Processor. Processor shall:
5.1. Comply with and only act on behalf of the Controller regarding the Processing of Personal Data.
5.2. Not Process Personal Data for any other purposes other than to provide the Services to Controller.
5.3. Notify Controller, where Processor in its opinion believes that an instruction of Controller would result in a violation of applicable Data Protection Law and request Controller to withdraw, amend or confirm the relevant instruction. Pending the decision on the withdrawal, amendment or confirmation of the relevant instruction, Processor shall be entitled to suspend the implementation of the relevant instruction.
5.4. Ensure that persons authorized by Processor to Process the Personal Data on behalf of Controller are suitably informed, trained and instructed in respect of applicable Data Protection Law.
5.5. Implement the appropriate technical and organizational measures to ensure the protection of the Personal Data, according to the requirements of applicable Data Protection Law.
5.6. Notify to Controller any Data Subjects’ rights request within 103 days of its reception, to the email address shown in the heading of this DPA, without responding to that request, for the fulfillment of Controller’s obligation to respond to requests for exercising Data Subjects’ rights concerning information, access, rectification and erasure, restriction of Processing, data portability, objection and automated decision-making. For avoidance of doubt, it is the sole responsibility of Data Controller to enable any Data Subject to execute these such rights.
5.7. Make available to Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and in Art. 28 GDPR and Data Protection Laws.
5.8. Notify Controller, to the email address shown in the heading of this DPA, without within 32 hours after Processor becomes aware of a Personal Data Breach at Processor or its Subprocessors, unless it is unlikely to result in a risk to the rights and freedoms of natural persons. In case of such Personal Data Breach, Processor will assist Controller with investigating the Personal Data Breach and Controller’s obligation under Data Protection Law to inform the Data Subjects and the supervisory authorities, as applicable, and to document the Personal Data Breach.
5.9. Assist Controller with any data protection impact assessment and with prior consultation, if any, that relate to the Services provided by Processor to Controller and...
Obligations of Processor. 5.1 Basically, Processor shall, unless otherwise permitted by law or otherwise (e.g. data subject’s consent), collect, process or use data only as commissioned by Controller and in compliance with the Instructions of Controller but, in particular, not for its own purposes. Processor will correct, delete, rectify or block the data processed on behalf of Controller only as instructed by Controller. If a data subject contacts Processor with a request for correction or deletion of its data, Processor shall forward the request to Controller.
5.2 Processor shall also be entitled to use certain data which it receives in the course of providing product support in a form that will not allow the respective Processor personnel to re-identify any natural person (e.g. a physician, hospital staff or patient). Such use occurs for the purposes of (i) fulfilling legal obligations (e.g. product monitoring and reporting obligations), or (ii) exercising other legitimate interests and lawful purposes of Processor and Controller, in particular those to improve the quality and functionality of Processor’s products by using selected support data (e.g. de-identified CT or MRT images) to i.a. test new releases of the products.
5.3 Processing takes place on the Instructions from the Controller only, unless the Processor is required to do so by European Union or Member State law to which the Processor is subject to; in such a case, the Processor shall inform the Controller of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest (cf., Art. 28 para. 3 lit. a GDPR).
5.4 Unless prohibited by applicable law or a legally-binding request of an authority, Processor shall promptly notify Controller of any request by public authorities, data protection supervisory authority or law enforcement authority for access to or seizure of Personal Data of the Controller as provided hereunder.
5.5 Before granting access to Personal Data, Processor will oblige persons employed in processing Personal Data on data secrecy and confidentiality and familiarize them with the provisions as set forth in the data protection obligations as applicable to Processor. Where necessary, this shall include obligating the relevant personnel on professional secrecy (if any, including derivative obligations, for example when processing data originating from hospitals or medical doctors) or the telecommunication secrecy if and to the extent that respectiv...
Obligations of Processor. 5.1 Processor shall, unless otherwise permitted by law or otherwise (e.g. data subject’s consent), collect, process or use data only as commissioned by Controller and in compliance with the Instructions of Controller but, in particular, not for its own purposes. Processor will correct, delete, rectify or block the data processed on behalf of Controller only as instructed by Controller. If a data subject contacts Processor with a request for correction or deletion of its data, Processor shall forward the request to Controller.
5.2 Processing takes place on the instructions from the Controller only, unless the Processor is required to do so by European Union or Member State law to which the Processor is subject to; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest (cf., Art. 28 para. 3 lit. a GDPR).
5.3 Unless prohibited by applicable law or a legally-binding request of an authority, Processor shall promptly notify Controller of any request by government official, data protection supervisory authority or law enforcement authority for access to or seizure of Personal Data of the Controller as provided hereunder.
5.4 Before granting access to Personal Data, Processor will oblige persons employed in processing Personal Data on data secrecy and confidentiality and familiarize them with the provisions as set forth in the data protection obligations as applicable to Processor. Where necessary, this shall include obligating the relevant personnel on professional secrecy (if any, including derivative obligations, for example when processing data originating from hospitals or medical doctors) or the telecommunication secrecy if and to the extent that respective services have been agreed upon in the Master Agreement.
5.5 Insofar as required by statutory law, Processor will appoint a data protection officer and shall make its contact details available to Controller during the term of this Agreement.
5.6 Processor will without undue delay notify Controller of violations of Instructions or of provisions for the protection of Controller’s Personal Data by Processor or a person employed by Processor. If Personal Data have been lost, unlawfully transferred or otherwise unlawfully disclosed to third parties according to Art. 33 and 34 of the GDPR, Controller shall be informed of such incidences without undue delay. Processor shall, in consul...
Obligations of Processor. 3.1 We shall Process Your Personal Data only as set forth herein, unless otherwise required to do so under applicable Data Protection Laws. In such case, we shall inform You of the legal requirement before Processing, unless such law prohibits Us from doing so. Subsequent Contrato de Encargado de Tratamiento de Datos Personales
Obligations of Processor. Processor shall collect, process and use Personal Data only within the scope of Controller’s Instructions. If the Processor thinks that an instruction of the Controller infringes the BDSG or other data protection provisions, it shall point this out to the principal without delay. Within Processor’s area of responsibility, Processor shall structure Processor’s internal corporate organisation to ensure compliance with the specific requirements of the protection of Personal Data. Processor shall take the appropriate technical and organisational measures to adequately protect Controller’s Personal Data against misuse and loss in accordance with the requirements of the German Federal Data Protection Act (§ 9 BDSG) or a corresponding provision of the otherwise applicable national data protection law. Such measures hereunder shall include, but not be limited to,
a. the prevention of unauthorised persons from gaining access to Personal Data Processing systems (physical access control),
b. the prevention of Personal Data Processing systems from being used without authorisation (logical access control),
c. ensuring that persons entitled to use a Personal Data Processing system gain access only to such Personal Data as they are entitled to accessing in accordance with their access rights, and that, in the course of processing or use and after storage, Personal Data cannot be read, copied, modified or deleted without authorisation (data access control),
d. ensuring that Personal Data cannot be read, copied, modified or deleted without authorisation during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control),
e. ensuring the establishment of an audit trail to document whether and by whom Personal Data have been entered into, modified in, or removed from Personal Data Processing systems (entry control),
f. ensuring that Personal Data Processed are Processed solely in accordance with the Instructions (control of instructions),
g. ensuring that Personal Data are protected against accidental destruction or loss (availability control),
h. ensuring that Personal Data collected for different purposes can be processed separately (separation control).
Obligations of Processor. 1. With respect to the processing operations referred to in article 1. Processor shall ensure that the conditions on the basis of the GDPR under which processing of personal data takes place are complied with.
2. Processor shall inform Controller, at the request of Controller and within a reasonable term, about the measures taken by Processor concerning its obligations under this Data Processing Agreement.
3. Processor shall keep a register of all data categories it processes on behalf of Controller.
4. The obligations of Processor resulting from this Data Processing Agreement shall also apply to those who process personal data under the authority of Processor.
5. Processor shall notify Controller in case, in the opinion of Processor, an instruction given by Controller is in violation of relevant privacy legislation and regulations.
6. Processor shall lend Controller the cooperation necessary if, for the purpose of processing, an assessment of the data protection impact or prior consultation of the Data Protection Authority may be necessary.