Obligations of Processor. The Processor shall: (a) process the Personal Data only as instructed by the Controller and on the Controller's behalf; such instruction is provided in the Services Agreement, this DPA and otherwise in documented form as specified in clause 3 above. Such obligation to follow the Controller's instruction also applies to the transfer of the Personal Data to a Third Country or an International Organization. (b) inform the Controller promptly if the Processor cannot comply with any instructions from the Controller for whatever reasons; (c) ensure that persons authorized by the Processor to Process the Personal Data on behalf of the Controller have committed themselves to confidentiality or are under an appropriate obligation of confidentiality and that such persons that have access to the Personal Data Process such Personal Data in compliance with the Controller's instructions. (d) implement the Technical and Organizational Security Measures which will meet the requirements of the Applicable Data Protection Law as further specified in Annex 4 before Processing of the Personal Data and ensure to provide sufficient guarantees to the Controller on such Technical and Organizational Security Measures. (e) assist the Controller by appropriate Technical and Organizational Measures, insofar as this is feasible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subjects rights concerning information, access, rectification and erasure, restriction of processing, notification, data portability, objection and automated decision-making. The Processor shall maintain the Technical and Organizational Measures set forth in Annex 4 of this DPA. To to the extent such feasible Technical and Organizational Measures require changes or amendments to the Technical and Organizational Measures specified in Annex 4, the Processor will advise the Controller on the costs to implement such additional or amended Technical and Organizational Measures. Once the Controller has confirmed to bear such costs, the Processor will implement such additional or amended Technical and Organizational Measures to assist the Controller to respond to Data Subject's requests. (f) make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and in Article 28 GDPR and allow for and contribute to audits, including inspections conducted by the Controller or another auditor mandated by Controller. The Controller is aware that any in-person on-site audits may significantly disturb the Processor’s business operations and may entail high expenditure in terms of cost and time. Hence, the Controller may only carry out an in- person on-site audit if the Controller reimburses the Processor for any costs and expenditures incurred by the Controller due to the business operation disturbance. Each requested audit shall meet the following requirements: (i) no more than one audit per calendar year shall be requested or conducted and upon no less than 90 days’ notice to the Processor; (ii) shall be conducted by an internationally recognized independent auditing firm reasonably acceptable to Processor; (iii) take place during Processor’s regular business hours, pursuant to a mutually agreed upon scope of audit; (iv) the duration of the audit must be reasonable and in any event shall not exceed two business days; (v) no access shall be given to the data of other customers; audits will not be permitted if they interfere with Processor’s ability to provide the Services to any customers; (vi) audits shall be subject to any confidentiality or other contractual obligations of Processor or Wolters Kluwer’s group (including any confidentiality obligations to other customers, vendors or other third parties); (vii) any non-affiliated third parties participating in the audit shall execute a confidentiality agreement reasonably acceptable to Processor; (viii) all costs and expenses of any audit shall be borne by Controller; and (ix) any audit of a facility will be conducted as an escorted and structured walkthrough and shall be subject to Processor’s security policies. (g) notify the Controller without undue delay: (i) about any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under the law to preserve the confidentiality of a law enforcement investigation; (ii) about any complaints and requests received directly from the Data Subjects (e.g., regarding access, rectification, erasure, restriction of processing, data portability, objection to processing of data, automated decision-making) without responding to that request, unless it has been otherwise authorized to do so; (iii) if the Processor is required pursuant to EU or Member State law to which the Processor is subject to process the Personal Data beyond the instructions from the Controller, before carrying out such processing beyond the instruction, unless that EU or Member State law prohibits such information on important grounds of public interest; such notification shall specify the legal requirement under such EU or Member State law; (iv) if, in the Processor's opinion, an instruction infringes the Applicable Data Protection Law; upon providing such notification, the Processor shall not be obliged to follow the instruction, unless and until the Controller has confirmed or changed it; and (v) after the Processor becomes aware of a Personal Data Breach at the Processor. In case of such a Personal Data Breach, taking into account the nature of the processing and information available to the Processor, upon the Controller's written request, the Processor will use commercially reasonable efforts to assist the Controller with the Controller's obligation under Applicable Data Protection Law to inform the affected Data Subjects and the Supervisory Authorities, as applicable, and to document the Personal Data Breach. (h) assist the Controller to the extent Controller does not otherwise have access to the relevant information, and to the extent such information is available to Processor, with any Data Protection Impact Assessment as required by Article 35 GDPR that relates to the Services provided by the Processor to the Controller and the Personal Data processed by the Processor on behalf of the Controller. (i) deal with all enquiries from the Controller relating to its Processing of the Personal Data subject to the processing (e.g., to enable the Controller to respond to complaints or requests from Data Subjects in a timely manner) and abide by the advice of the Supervisory Authority with regard to the Processing of the Personal Data transferred. (j) that, to the extent that the Processor is required and requested to correct, erase and/or block Personal Data processed under this DPA, the Processor will do so without undue delay. If and to the extent that Personal Data cannot be erased due to statutory retention requirements, the Processor shall, in lieu of erasing the relevant Personal Data, be obliged to restrict the further Processing and/or use of Personal Data, or remove the associated identity from the Personal Data (hereinafter referred to as "blocking"). If the Processor is subject to such a blocking obligation, the Processor shall erase the relevant Personal Data before or on the last day of the calendar year during which the retention term ends.
Appears in 4 contracts
Samples: Subscriber Terms and Conditions, Subscriber Terms and Conditions, Subscriber Terms and Conditions
Obligations of Processor. The Processor shall:
(a) process the Personal Data only as instructed by the Controller and on the Controller's behalf; such instruction is provided in the Services Agreement, this DPA and otherwise in documented form as specified in clause 3 above. Such obligation to follow the Controller's instruction also applies to the transfer of the Personal Data to a Third Country or an International Organization.
(b) inform the Controller promptly if the Processor cannot comply with any instructions from the Controller for whatever reasons;
(c) ensure that persons authorized by the Processor to Process the Personal Data on behalf of the Controller have committed themselves to confidentiality or are under an appropriate obligation of confidentiality and that such persons that have access to the Personal Data Process such Personal Data in compliance with the Controller's instructions.
(d) implement the Technical and Organizational Security Measures which will meet the requirements of the Applicable Data Protection Law as further specified in Annex 4 before Processing of the Personal Data and ensure to provide sufficient guarantees to the Controller on such Technical and Organizational Security Measures.
(e) assist the Controller by appropriate Technical and Organizational Security Measures, insofar as this is feasible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subjects rights concerning information, access, rectification and erasure, restriction of processing, notification, data portability, objection and automated decision-making. The Processor shall maintain the Technical and Organizational Security Measures set forth in Annex 4 of this DPA. To to the extent such feasible Technical and Organizational Security Measures require changes or amendments from time to the Technical and Organizational Measures specified in Annex time 4, the Processor will advise the Controller on the costs to implement such additional or amended Technical and Organizational Security Measures. Once the Controller has confirmed to bear such costs, the Processor will implement such additional or amended Technical and Organizational Security Measures to assist the Controller or to respond to Data Subject's requests.
(f) make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and in Article 28 GDPR and allow for and contribute to audits, including inspections conducted by the Controller or another auditor mandated by Controller. The Controller is aware that any in-person on-site audits may significantly disturb the Processor’s business operations and may entail high expenditure in terms of cost and time. Hence, the Controller may only carry out an in- person on-site audit if the Controller reimburses the Processor for any costs and expenditures incurred by the Controller due to the business operation disturbance. Each requested audit shall meet the following requirements:
(i) no more than one audit per calendar year shall be requested or conducted and upon no less than 90 days’ notice to the Processor;
(ii) shall be conducted by an internationally recognized independent auditing firm reasonably acceptable to Processor;
(iii) take place during Processor’s regular business hours, pursuant to a mutually agreed upon scope of audit;
(iv) the duration of the audit must be reasonable and in any event shall not exceed two business days;
(v) no access shall be given to the data of other customers; audits will not be permitted if they interfere with Processor’s ability to provide the Services to any customers;
(vi) audits shall be subject to any confidentiality or other contractual obligations of Processor or Wolters Kluwer’s group (including any confidentiality obligations to other customers, vendors or other third parties);
(vii) any non-affiliated third parties participating in the audit shall execute a confidentiality agreement reasonably acceptable to Processor;
(viii) all costs and expenses of any audit shall be borne by Controller; and
(ix) any audit of a facility will be conducted as an escorted and structured walkthrough and shall be subject to Processor’s security policies.
(g) notify the Controller without undue delay:
(i) about any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under the law to preserve the confidentiality of a law enforcement investigation;
(ii) about any complaints and requests received directly from the Data Subjects (e.g., regarding access, rectification, erasure, restriction of processing, data portability, objection to processing of data, automated decision-making) without responding to that request, unless it has been otherwise authorized to do so;
(iii) if the Processor is required pursuant to UK, EU or Member State law to which the Processor is subject to process the Personal Data beyond the instructions from the Controller, before carrying out such processing beyond the instruction, unless that UK, EU or Member State law prohibits such information on important grounds of public interest; such notification shall specify the legal requirement under such UK, EU or Member State law;
(iv) if, in the Processor's opinion, an instruction infringes the Applicable Data Protection Law; upon . Upon providing such notification, the Processor shall not be obliged to follow the instruction, unless and until the Controller has confirmed or changed it; and
(v) after the Processor becomes aware of a Personal Data Breach at the Processor. In case of such a Personal Data Breach, taking into account the nature of the processing and information available to the Processor, upon the Controller's written request, the Processor will use commercially reasonable efforts to assist the Controller with the Controller's obligation under Applicable Data Protection Law to inform the affected Data Subjects and the Supervisory Authorities, as applicable, and to document the Personal Data Breach.
(h) assist the Controller to the extent Controller does not otherwise have access to the relevant information, and to the extent such information is available to Processor, with any Data Protection Impact Assessment as required by Article 35 GDPR that relates to the Services provided by the Processor to the Controller and the Personal Data processed by the Processor on behalf of the Controller.
(i) deal with all enquiries from the Controller relating to its Processing of the Personal Data subject to the processing (e.g., to enable the Controller to respond to complaints or requests from Data Subjects in a timely manner) and abide by the advice of the Supervisory Authority with regard to the Processing of the Personal Data transferred.
(j) that, to the extent that the Processor is required and requested to correct, erase and/or block Personal Data processed under this DPA, the Processor will do so without undue delay. If and to the extent that Personal Data cannot be erased due to statutory retention requirements, the Processor shall, in lieu of erasing the relevant Personal Data, be obliged to restrict the further Processing and/or use of Personal Data, or remove the associated identity from the Personal Data (hereinafter referred to as "blocking"). If the Processor is subject to such a blocking obligation, the Processor shall erase the relevant Personal Data before or on the last day of the calendar year during which the retention term ends.
Appears in 2 contracts
Samples: Subscriber Terms and Conditions, Subscriber Terms and Conditions
Obligations of Processor. a) The Processor shall:
(a) process the Personal Data only as instructed by the Controller and on the Controller's behalf; such instruction is provided in the Services Agreement, this DPA and otherwise in documented form as specified in clause 3 above. Such obligation obliged to follow the Controller's instruction also applies to the transfer of the Personal Data to a Third Country or an International Organization.
(b) inform the Controller promptly if the Processor cannot comply with any instructions from the Controller for whatever reasons;
(c) ensure that persons authorized by the Processor to Process process the Personal Data personal data on behalf of the Controller Controller, in particular the Processor's employees as well as employees of any Subprocessors, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that such persons that who have access to the Personal Data Process personal data process such Personal Data personal data in compliance with the Controller's instructions.
(db) The Processor is obliged to implement the Technical technical and Organizational Security Measures which will meet the requirements of the Applicable Data Protection Law organizational measures as further specified in Annex 4 2 before Processing of processing the Personal Data and ensure to provide sufficient guarantees to the Controller personal data on such Technical and Organizational Security Measures.
(e) assist the Controller by appropriate Technical and Organizational Measures, insofar as this is feasible, for the fulfilment behalf of the Controller's obligation . The Processor may amend the technical and organizational measures from time to respond time provided that the amended technical and organizational measures are not less protective as those set out in Annex 2. Substantial amendments to requests for exercising the Data Subjects rights concerning information, access, rectification technical and erasure, restriction of processing, notification, data portability, objection and automated decision-makingorganizational measures shall be agreed upon in writing between the Parties prior to their implementation. The Processor shall maintain the Technical and Organizational Measures set forth in Annex 4 of this DPA. To document changes to the extent such feasible Technical technical and Organizational Measures require changes or amendments to the Technical organizational measures and Organizational Measures specified in Annex 4, the Processor will advise provide the Controller on the costs to implement with such additional or amended Technical and Organizational Measures. Once the Controller has confirmed to bear such costs, the Processor will implement such additional or amended Technical and Organizational Measures to assist the Controller to respond to Data Subject's requestsdocumentation with being asked.
(fc) The Processor is obliged to make available to the Controller all any information necessary to demonstrate compliance with the obligations of Processor laid down in this DPA and in Article Art. 28 GDPR and allow for and contribute in this DPA. In particular, the Processor will provide an annual audit report based on ISO 27001 or ISAE3402 or SSAE16-SOC 1 Type 2 or ISAE3000 or SSAE16-SOC 2 Type 2 or similar or similar audit reports created by a third party ("Audit Report") as soon as such Audit Report becomes available to audits, including inspections conducted by the Processor.
d) The Processor shall grant Controller or another an auditor mandated commissioned by ControllerController the necessary access, information and inspection rights for this purpose. The Processor undertakes in particular to grant Controller is aware or the auditor appointed by it access to the data processing facilities, files and other documents in order to enable the inspection and verification of the relevant data processing facilities, files and other documentation relating to the processing of Controller's data. The Processor shall provide Controller or the auditor commissioned by Controller with all information necessary for the inspection. The parties agree that any in-person on-site audits may significantly disturb access to data of other Rencore clients in the context of an audit must be excluded under all circumstances. The audit right relates exclusively to technical and organisational measures regarding data processing operations concerning Controller.
e) Controller shall be entitled to enter the Processor’s 's business operations premises where "Principal Data" are processed, with reasonable advance notice during normal business hours (Mondays to Fridays from 9.00 a.m. to 5.00 p.m.) at its own expense, without disrupting the course of business and may entail high expenditure subject to strict confidentiality of the Processor's business and trade secrets, in terms order to satisfy itself of cost compliance with the technical and timeorganisational measures pursuant to Appendix 2 to this Contract. Hence, the Controller may only carry out an in- person on-site audit if the Controller reimburses the Processor shall pay reasonable compensation for any costs and expenditures incurred by the Controller due to the business operation disturbance. Each requested audit shall meet the following requirements:
(i) no more than one audit per calendar year shall be requested or conducted and upon no less than 90 days’ notice disruptions to the Processor;
(ii) shall be conducted by an internationally recognized independent auditing firm reasonably acceptable to Processor;
(iii) take place during Processor’s regular business hours, pursuant to a mutually agreed upon scope of audit;
(iv) 's operations or for the duration provision of the audit must be reasonable and in any event shall not exceed two business days;
(v) no access shall be given to the data of other customers; audits will not be permitted if they interfere with Processor’s ability to provide the Services to any customers;
(vi) audits shall be subject to any confidentiality or other contractual obligations of Processor or Wolters Kluwer’s group (including any confidentiality obligations to other customers, vendors or other third parties);
(vii) any non-affiliated third parties participating in 's personnel. If the audit demonstrates that The Processor has breached any obligation under this agreement, the Processor shall execute a confidentiality agreement reasonably acceptable to Processor;
(viii) immediately cure that breach and pay or reimburse Controller for all reasonable costs and expenses of any audit the audit. Otherwise Controller shall be borne by Controller; and
(ix) any audit bear its own costs of a facility will be conducted as an escorted and structured walkthrough and shall be subject to Processor’s security policiesthe audit.
(gf) The Processor is obliged to notify the Controller without undue delay:
(i) about any legally binding request for disclosure of the Personal Data personal data by a law enforcement authority unless otherwise prohibited, such as by a prohibition under the criminal law to preserve the confidentiality of a law enforcement investigation;; and
(ii) about any complaints and requests received directly from the Data Subjects a data subject (e.g., regarding access, rectification, erasure, restriction of processing, data portability, objection to processing of data, automated decision-making) without responding to that request, request unless it the Processor has been otherwise authorized by the Controller to do so;.
(iiig) if The processor is obliged to notify the Controller without undue delay about a Security Breach at the Processor is required pursuant to EU or Member State law to which the Processor is subject to process the Personal Data beyond the instructions from the Controller, before carrying out such processing beyond the instruction, unless that EU or Member State law prohibits such information on important grounds of public interest; such notification shall specify the legal requirement under such EU or Member State law;
(iv) if, in the Processor's opinion, an instruction infringes the Applicable Data Protection Law; upon providing such notification, the Processor shall not be obliged to follow the instruction, unless and until the Controller has confirmed or changed it; and
(v) its Subprocessors after the Processor becomes aware of a Personal Data Breach at the Processor. In case of such a Personal Data BreachSecurity Breach and in this case the Processor will assist the Controller with the Controller's obligation under applicable data protection law to inform the data subjects and the supervisory authorities, as applicable, by providing the necessary information taking into account the nature of the processing and the information available to the Processor, upon the Controller's written request, the .
h) The Processor will use commercially reasonable efforts is obliged to assist the Controller with the Controller's its obligation under Applicable Data Protection Law to inform the affected Data Subjects and the Supervisory Authorities, carry out a data protection impact assessment as applicable, and to document the Personal Data Breach.
(h) assist the Controller to the extent Controller does not otherwise have access to the relevant information, and to the extent such information is available to Processor, with any Data Protection Impact Assessment as may be required by Article Art. 35 GDPR and prior consultation as may be required by Art. 36 GDPR that relates to the Services provided by the Processor to the Controller under this DPA by means of providing the necessary and available information to the Personal Data Controller.
i) The Processor is obliged - at the choice of the Controller - to delete or return to the Controller all the personal data which are processed by the Processor on behalf of the ControllerController under this DPA after the end of the provision of Services, and delete any existing copies unless European Union or Member State law requires the Processor to retain such personal data.
(ij) deal with all enquiries from The Processor is obliged to provide to the Controller relating the respective records of processing activities according to its Processing of the Personal Data subject to the processing (e.g., to enable the Controller to respond to complaints or requests from Data Subjects in a timely manner) and abide by the advice of the Supervisory Authority with regard to the Processing of the Personal Data transferred.
(j) that, to the extent that the Processor is required and requested to correct, erase and/or block Personal Data processed under this DPA, the Processor will do so without undue delayArt. If and to the extent that Personal Data cannot be erased due to statutory retention requirements, the Processor shall, in lieu of erasing the relevant Personal Data, be obliged to restrict the further Processing and/or use of Personal Data, or remove the associated identity from the Personal Data (hereinafter referred to as "blocking"). If the Processor is subject to such a blocking obligation, the Processor shall erase the relevant Personal Data before or on the last day of the calendar year during which the retention term ends.30
Appears in 2 contracts
Samples: Data Processing Agreement, Data Processing Agreement
Obligations of Processor. The 4.1. As Processor, Processor shall:shall comply with its obligations under Applicable Regulations and as set forth this Processor Agreement.
4.2. Processor shall ensure that it and each of its Processor Employees (a) process the Personal Data only as instructed by the Controller and on the Controller's behalf; such instruction is provided in the Services Agreement, this DPA and otherwise in documented form as specified in clause 3 above. Such obligation to follow the Controller's instruction also applies to the transfer of the Personal Data to a Third Country or an International Organization.
(b) inform the Controller promptly if the Processor cannot comply with any instructions from the Controller for whatever reasons;
(c) ensure that persons authorized by the Processor to Process the Processes Personal Data on behalf of the Controller have committed themselves to confidentiality or are under an appropriate obligation of confidentiality and that such persons that have access to in accordance with Controller’s instructions; (b) refrains from Processing the Personal Data Process such Personal Data in compliance with the Controller's instructions.
for its own purposes or for purposes of third parties when not permitted under Applicable Regulations; and (dc) implement the Technical and Organizational Security Measures which will meet the requirements of the Applicable Data Protection Law as further specified in Annex 4 before Processing of Processes the Personal Data and ensure only in so far as necessary to provide sufficient guarantees perform its activities under the Agreement; unless Processor is required to do otherwise by applicable EU, Member State or UK law and, unless the applicable EU, Member State or UK law prohibits the Processor from so notifying the Controller, it promptly notifies Controller on such Technical and Organizational Security Measuresthereof in accordance with Article 4.5.b. Processor shall document the (additional) instructions given by Controller.
(e) assist 4.3. During the term of this Processor Agreement, if Processor receives any request from a Data Subject relating to his or her Personal Data, Processor shall promptly refer that Data Subject to Controller by appropriate Technical and Organizational Measures, insofar to submit his or her requests. Controller shall be responsible for responding to any such request. Processor shall provide such assistance as this is feasible, for the fulfilment of the Controller's obligation Controller may reasonably specify to enable Controller to meet its obligations to respond to requests for exercising the rights of Data Subjects rights concerning informationpursuant to Applicable Regulations, including, but not limited, requests from Data Subjects to access, rectification correct or delete their Personal Data. For the purpose of clarity and erasurewithout limiting Processor’s obligation to provide assistance in accordance with this clause 4.3, restriction Processor may provide software tools within the API (“Tools”) if such is licensed under the Agreement for Controller to perform its obligations as Controller to a Data Subject; prior to requesting assistance from Processor under this paragraph, Controller shall make reasonable and concerted efforts to meet its GDPR obligations to the Data Subject using the Tools if such Tools are provided under the Agreement. For the purpose of processingclarity, notificationController organizations do not have such Tools, so the obligations of Controller related to using Tools under this Section 4.3 do not apply to Controller organizations.
4.4. Processor shall provide such assistance as Controller may reasonably specify to enable Controller to (a) carry out a data portabilityprotection impact assessment and a possible subsequent prior consultation with a Supervisory Authority and (b) to respond to or defend against enquiries, objection requests or investigations from a Supervisory Authority.
4.5. Processor shall promptly inform Controller in any of the following events if:
a. Processor has reason to believe that it cannot comply with this Processor Agreement;
b. applicable EU, Member State or UK law prevents Processor from fulfilling the instructions received from Controller, unless that law prohibits Processor from providing such information;
c. Processor or a Processor Employee has acted in breach of this Processor Agreement or if a Subprocessor has acted in breach of the written agreement between Processor and automated decision-makingsuch Subprocessor; or
d. Processor has received a warning or a reprimand from a Supervisory Authority that the Processing activities are likely to infringe, or have infringed, Applicable Regulations.
4.6. The Processor shall maintain the Technical and Organizational Measures set forth in Annex 4 of this DPA. To to the extent such feasible Technical and Organizational Measures require changes or amendments to the Technical and Organizational Measures specified in Annex 4, ensure under contract that the Processor will advise the Controller on the costs to implement such additional or amended Technical and Organizational Measures. Once the Controller has confirmed to bear such costs, the Processor will implement such additional or amended Technical and Organizational Measures to assist the Controller to respond to Data Subject's requests.
(f) make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and in Article 28 GDPR and allow for and contribute to audits, including inspections conducted by the Controller or another auditor mandated by Controller. The Controller is aware that any in-person on-site audits may significantly disturb the Processor’s business operations and may entail high expenditure in terms of cost and time. Hence, the Controller may only carry out an in- person on-site audit if the Controller reimburses the Processor for any costs and expenditures incurred by the Controller due to the business operation disturbance. Each requested audit shall meet the following requirementsEmployees:
(i) no more than one audit per calendar year shall be requested or conducted and upon no less than 90 days’ notice to the Processor;
(ii) shall be conducted by an internationally recognized independent auditing firm reasonably acceptable to Processor;
(iii) take place during Processor’s regular business hours, pursuant to a mutually agreed upon scope of audit;
(iv) the duration a. are informed of the audit must be reasonable and in any event shall not exceed two business days;
(v) no access shall be given to the data of other customers; audits will not be permitted if they interfere with Processor’s ability to provide the Services to any customers;
(vi) audits shall be subject to any confidentiality or other contractual obligations of Processor or Wolters Kluwer’s group (including any confidentiality obligations to other customers, vendors or other third parties);
(vii) any non-affiliated third parties participating in the audit shall execute a confidentiality agreement reasonably acceptable to Processor;
(viii) all costs and expenses of any audit shall be borne by Controller; and
(ix) any audit of a facility will be conducted as an escorted and structured walkthrough and shall be subject to Processor’s security policies.
(g) notify the Controller without undue delay:
(i) about any legally binding request for disclosure confidential nature of the Personal Data and are bound by a law enforcement authority unless otherwise prohibited, such as a prohibition under confidentiality obligations and use restrictions in respect of the law to preserve the confidentiality of a law enforcement investigationPersonal Data;
(ii) about any complaints and requests received directly from b. have undertaken training on the Data Subjects (e.g., regarding access, rectification, erasure, restriction of processing, data portability, objection Applicable Regulations relating to processing of data, automated decision-making) without responding to that request, unless it has been otherwise authorized to do so;
(iii) if the Processor is required pursuant to EU or Member State law to which the Processor is subject to process the handling Personal Data beyond the instructions from the Controller, before carrying out such processing beyond the instruction, unless that EU or Member State law prohibits such information on important grounds and how it applies to their particular duties; and
c. are aware both of public interest; such notification shall specify the legal requirement under such EU or Member State law;
(iv) if, in the Processor's opinion, an instruction infringes duties and their personal duties and obligations under the Applicable Data Protection Law; upon providing such notification, the Processor shall not be obliged to follow the instruction, unless and until the Controller has confirmed or changed it; and
(v) after the Processor becomes aware of a Personal Data Breach at the Processor. In case of such a Personal Data Breach, taking into account the nature of the processing and information available to the Processor, upon the Controller's written request, the Processor will use commercially reasonable efforts to assist the Controller with the Controller's obligation under Applicable Data Protection Law to inform the affected Data Subjects Regulations and the Supervisory Authorities, as applicable, and to document the Personal Data BreachAgreement.
(h) assist the Controller to the extent Controller does not otherwise have access to the relevant information, and to the extent such information is available to Processor, with any Data Protection Impact Assessment as required by Article 35 GDPR that relates to the Services provided by the Processor to the Controller and the Personal Data processed by the Processor on behalf of the Controller.
(i) deal with all enquiries from the Controller relating to its Processing of the Personal Data subject to the processing (e.g., to enable the Controller to respond to complaints or requests from Data Subjects in a timely manner) and abide by the advice of the Supervisory Authority with regard to the Processing of the Personal Data transferred.
(j) that, to the extent that the Processor is required and requested to correct, erase and/or block Personal Data processed under this DPA, the Processor will do so without undue delay. If and to the extent that Personal Data cannot be erased due to statutory retention requirements, the Processor shall, in lieu of erasing the relevant Personal Data, be obliged to restrict the further Processing and/or use of Personal Data, or remove the associated identity from the Personal Data (hereinafter referred to as "blocking"). If the Processor is subject to such a blocking obligation, the Processor shall erase the relevant Personal Data before or on the last day of the calendar year during which the retention term ends.
Appears in 1 contract
Samples: Data Processor Agreement
Obligations of Processor. a) The Processor shall:
(a) process the Personal Data only as instructed by the Controller and on the Controller's behalf; such instruction is provided in the Services Agreement, this DPA and otherwise in documented form as specified in clause 3 above. Such obligation obliged to follow the Controller's instruction also applies to the transfer of the Personal Data to a Third Country or an International Organization.
(b) inform the Controller promptly if the Processor cannot comply with any instructions from the Controller for whatever reasons;
(c) ensure that persons authorized by the Processor to Process process the Personal Data personal data on behalf of the Controller Controller, in particular the Processor’s employees as well as employees of any Subprocessors, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that such persons that who have access to the Personal Data Process personal data process such Personal Data personal data in compliance with the Controller's ’s instructions.
(db) The Processor is obliged to implement the Technical technical and Organizational Security Measures which will meet the requirements of the Applicable Data Protection Law organizational measures as further specified in Annex 4 2 before Processing of processing the Personal Data and ensure to provide sufficient guarantees to the Controller personal data on such Technical and Organizational Security Measures.
(e) assist the Controller by appropriate Technical and Organizational Measures, insofar as this is feasible, for the fulfilment behalf of the Controller's obligation . The Processor may amend the technical and organizational measures from time to respond time provided that the amended technical and organizational measures are not less protective than those set out in Annex 2. Substantial amendments to requests for exercising the Data Subjects rights concerning information, access, rectification technical and erasure, restriction of processing, notification, data portability, objection and automated decision-makingorganizational measures shall be agreed upon in writing between the Parties prior to their implementation. The Processor shall maintain the Technical and Organizational Measures set forth in Annex 4 of this DPA. To document changes to the extent such feasible Technical technical and Organizational Measures require changes or amendments to the Technical organizational measures and Organizational Measures specified in Annex 4, the Processor will advise provide the Controller with such documentation on the costs to implement such additional or amended Technical and Organizational Measures. Once the Controller has confirmed to bear such costs, the Processor will implement such additional or amended Technical and Organizational Measures to assist the Controller to respond to Data Subject's requestsrequest.
(fc) The Processor is obliged to make available to the Controller all any information necessary to demonstrate compliance with the obligations of Processor laid down in this DPA and in Article Art. 28 GDPR and allow for and contribute in this DPA. In particular, the Processor will provide an annual audit report based on ISO 27001 or ISAE3402 or SSAE16-SOC 1 Type 2 or ISAE3000 or SSAE16-SOC 2 Type 2 or similar audit reports created by a third party ("Audit Report") as soon as such Audit Report becomes available to audits, including inspections conducted by the Processor.
d) The Processor shall grant Controller or another an auditor mandated commissioned by ControllerController the necessary access, information and inspection rights for this purpose. The Processor undertakes in particular to grant Controller is aware or the auditor appointed by it access to the data processing facilities, files and other documents in order to enable the inspection and verification of the relevant data processing facilities, files and other documentation relating to the processing of Controller’s data. The Processor shall provide Controller or the auditor commissioned by Controller with all information necessary for the inspection. The parties agree that any in-person on-site audits may significantly disturb access to data of other Rencore clients in the context of an audit must be excluded under all circumstances. The audit right relates exclusively to technical and organisational measures regarding data processing operations concerning Controller.
e) Controller shall be entitled to enter the Processor’s business operations premises where "Principal Data" are processed, with reasonable advance notice during normal business hours (Mondays to Fridays from 9.00 a.m. to 5.00 p.m.) at its own expense, without disrupting the course of business and may entail high expenditure subject to strict confidentiality of the Processor’s business and trade secrets, in terms order to satisfy itself of cost compliance with the technical and timeorganisational measures pursuant to Annex 2 to this Contract. Hence, the Controller may only carry out an in- person on-site audit if the Controller reimburses the Processor shall pay reasonable compensation for any costs and expenditures incurred by the Controller due to the business operation disturbance. Each requested audit shall meet the following requirements:
(i) no more than one audit per calendar year shall be requested or conducted and upon no less than 90 days’ notice disruptions to the Processor;
(ii) shall be conducted by an internationally recognized independent auditing firm reasonably acceptable to Processor;
(iii) take place during ’s operations or for the provision of the Processor’s regular business hourspersonnel. If the audit demonstrates that the Processor has breached any obligation under this agreement, pursuant to a mutually agreed upon scope of audit;
(iv) the duration Processor shall immediately cure that breach and pay or reimburse Controller for all reasonable costs of the audit must be reasonable and in any event audit. Otherwise Controller shall not exceed two business days;
(v) no access shall be given to bear its own costs of the data of other customers; audits will not be permitted if they interfere with Processor’s ability to provide the Services to any customers;
(vi) audits shall be subject to any confidentiality or other contractual obligations of Processor or Wolters Kluwer’s group (including any confidentiality obligations to other customers, vendors or other third parties);
(vii) any non-affiliated third parties participating in the audit shall execute a confidentiality agreement reasonably acceptable to Processor;
(viii) all costs and expenses of any audit shall be borne by Controller; and
(ix) any audit of a facility will be conducted as an escorted and structured walkthrough and shall be subject to Processor’s security policiesaudit.
(gf) The Processor is obliged to notify the Controller without undue delay:
(i) about any legally binding request for disclosure of the Personal Data personal data by a law enforcement authority unless otherwise prohibited, such as by a prohibition under the criminal law to preserve the confidentiality of a law enforcement investigation;; and
(ii) about any complaints and requests received directly from the Data Subjects a data subject (e.g., regarding access, rectification, erasure, restriction of processing, data portability, objection to processing of data, automated decision-making) without responding to that request, request unless it the Processor has been otherwise authorized by the Controller to do so;.
(iiig) if The Processor is obliged to notify the Controller without undue delay about a Security Breach at the Processor is required pursuant to EU or Member State law to which the Processor is subject to process the Personal Data beyond the instructions from the Controller, before carrying out such processing beyond the instruction, unless that EU or Member State law prohibits such information on important grounds of public interest; such notification shall specify the legal requirement under such EU or Member State law;
(iv) if, in the Processor's opinion, an instruction infringes the Applicable Data Protection Law; upon providing such notification, the Processor shall not be obliged to follow the instruction, unless and until the Controller has confirmed or changed it; and
(v) its Subprocessors after the Processor becomes aware of a Personal Data Breach at the Processor. In case of such a Personal Data BreachSecurity Breach and in this case the Processor will assist the Controller with the Controller’s obligation under applicable data protection law to inform the data subjects and the supervisory authorities, as applicable, by providing the necessary information taking into account the nature of the processing and the information available to the Processor, upon the Controller's written request, the .
h) The Processor will use commercially reasonable efforts is obliged to assist the Controller with the Controller's its obligation under Applicable Data Protection Law to inform the affected Data Subjects and the Supervisory Authorities, carry out a data protection impact assessment as applicable, and to document the Personal Data Breach.
(h) assist the Controller to the extent Controller does not otherwise have access to the relevant information, and to the extent such information is available to Processor, with any Data Protection Impact Assessment as may be required by Article Art. 35 GDPR and prior consultation as may be required by Art. 36 GDPR that relates to the Services provided by the Processor to the Controller under this DPA by means of providing the necessary and available information to the Personal Data Controller.
i) The Processor is obliged - at the choice of the Controller - to delete or return to the Controller all the personal data which are processed by the Processor on behalf of the ControllerController under this DPA after the end of the provision of Services, and delete any existing copies unless European Union or Member State law requires the Processor to retain such personal data.
(ij) deal with all enquiries from The Processor is obliged to provide to the Controller relating the respective records of processing activities according to its Processing of the Personal Data subject to the processing (e.g., to enable the Controller to respond to complaints or requests from Data Subjects in a timely manner) and abide by the advice of the Supervisory Authority with regard to the Processing of the Personal Data transferred.
(j) that, to the extent that the Processor is required and requested to correct, erase and/or block Personal Data processed under this DPA, the Processor will do so without undue delayArt. If and to the extent that Personal Data cannot be erased due to statutory retention requirements, the Processor shall, in lieu of erasing the relevant Personal Data, be obliged to restrict the further Processing and/or use of Personal Data, or remove the associated identity from the Personal Data (hereinafter referred to as "blocking"). If the Processor is subject to such a blocking obligation, the Processor shall erase the relevant Personal Data before or on the last day of the calendar year during which the retention term ends.30
Appears in 1 contract
Samples: Data Processing Agreement