Obligations of Processor. 5.1 Processor shall ensure that all persons authorised by Processor to process personal data on behalf of Controller, particularly personnel of Processor or any Subprocessor, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 5.2 Before processing personal data to provide the Services, Processor shall implement the following technical and organisational measures: xxx.xxxxxxxxxx.xxx/xxx-xxxx. Processor may amend the technical and organisational measures from time to time provided that the amended technical and organisational measures are not less protective than those in place as of date that the Parties concluded this DPA. 5.3 Processor shall make available to Controller all information necessary to demonstrate compliance with the obligations in the Applicable Data Protection Law. The Parties agree that this information obligation is met by providing Controller with an audit report upon request. To the extent additional audit activities are required by Applicable Data Protection Law, Controller may request inspections conducted by Controller or another auditor mandated by Controller. An on-site audit must: (a) be limited to processing facilities and personnel of Processor involved in the processing activities covered by this DPA; (b) occur no more than once annually or as required by Applicable Data Protection Law or by a competent supervisory authority or immediately after a material personal data breach affecting personal data processed by Processor under this DPA; and (c) may occur only during regular business hours, after reasonable prior notice, in accordance with Processor's security policies and without substantially disrupting Processor's business operations. Each Party shall bear its own costs arising out of or in connection with the on-site audit at Controller and Processor. Controller shall create an audit report summarising the findings and observations of the on-site audit. All audit reports are confidential information of Processor and shall not be disclosed to third parties unless required by Applicable Data Protection Law or with Processor's consent. 5.4 Processor shall notify Controller without undue delay: (a) about any legally binding request for disclosure of the personal data by a law enforcement authority, unless otherwise prohibited, such as by a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; (b) if applicable law to which Processor or Subprocessor is subject requires Processor or Subprocessor to process the personal data beyond Controller’s instructions, before performing such processing, unless that applicable law prohibits such information. In this case Processor’s notification to Controller must specify the applicable legal requirement; and (c) after Processor has documented reason to believe that a personal data breach has occurred at Processor or at Subprocessors that may affect the personal data of Controller covered by this DPA. In this case, Processor shall assist Controller with Controller's obligation under Applicable Data Protection Law to inform the data subjects and the supervisory authorities, as applicable, by providing information in accordance with Applicable Data Protection Law as available to Processor. Processor shall implement remediation measure to prevent future breaches. 5.5 Processor shall take commercially reasonable measures to provide necessary information and assist Controller with its obligation to carry out a data protection impact assessment or prior consultation in relation to the Services as may be required by Applicable Data Protection Law. Processor must provide such assistance only if Controller cannot meet its obligation through other means. 5.6 At the choice of Controller, Processor shall delete or return to Controller all personal data (including any data storage media) processed on Controller’s behalf under this DPA after the end of the provision of Services and delete any existing copies unless applicable law requires Processor to retain such personal data.
Appears in 3 contracts
Samples: Cloud Services Agreement, Cloud Services Agreement, Professional Services
Obligations of Processor. 5.1 Processor shall ensure that all persons authorised authorized by Processor to process personal data on behalf of Controller, particularly personnel of Processor or any Subprocessor, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.2 Before processing personal data to provide the Services, Processor shall implement the following technical and organisational measures: organizational measures at xxx.xxxxxxxxxx.xxx/xxx-xxxx. Processor may amend the technical and organisational organizational measures from time to time provided that the amended technical and organisational organizational measures are not less protective than those in place as of date that the Parties concluded this DPA.
5.3 Processor shall make available to Controller all information necessary to demonstrate compliance with the obligations in the Applicable Data Protection LawGDPR Article 28. The Parties agree that this information obligation is met by providing Controller with an audit report upon request. To the extent additional audit activities are required by Applicable Data Protection Law, Controller may request inspections conducted by Controller or another auditor mandated by Controller. An on-site Such onsite audit must:
(a) be limited to processing facilities and personnel of Processor involved in the processing activities covered by this DPA;
(b) occur no more than once annually or as required by Applicable Data Protection Law or by a competent supervisory authority or immediately after a material personal data breach affecting personal data processed by Processor under this DPA; and
(c) may occur only during regular business hours, after reasonable prior notice, in accordance with Processor's security policies and without substantially disrupting Processor's business operations. Each Party shall bear its own costs arising out of or in connection with the on-site onsite audit at Controller and Processor. Controller shall create an audit report summarising summarizing the findings and observations of the on-site onsite audit. All audit reports are confidential information of Processor and shall not be disclosed to third parties unless required by Applicable Data Protection Law or with Processor's consent.
5.4 Processor shall notify Controller without undue delay:
(a) about any legally binding request for disclosure of the personal data by a law enforcement authority, unless otherwise prohibited, such as by a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
(b) if applicable EU law, Member State law or other Applicable Data Protection Law to which Processor or Subprocessor is subject requires Processor or Subprocessor to process the personal data beyond Controller’s instructions, before performing such processing, unless that applicable European Union law, Member State law or other Applicable Data Protection Law prohibits such informationinformation on important grounds of public interest. In this case Processor’s notification to Controller must specify the applicable legal requirement; and
(c) after Processor has documented reason to believe that a personal data breach has occurred at Processor or at Subprocessors that may affect the personal data of Controller covered by this DPA. In this case, Processor shall assist Controller with Controller's obligation under Applicable Data Protection Law to inform the data subjects and the supervisory authorities, as applicable, by providing information in accordance with to GDPR Article 33 (3) or other Applicable Data Protection Law as available to Processor. Processor shall implement remediation measure to prevent future breaches.
5.5 Processor shall take commercially reasonable measures to provide necessary information and assist Controller with its obligation to carry out a data protection impact assessment or prior consultation in relation to the Services as may be required by Applicable Data Protection LawGDPR Article 35 or 36. Processor must provide such assistance only if Controller cannot meet its obligation through other means.
5.6 At the choice of Controller, Processor shall delete or return to Controller all personal data (including any data storage media) processed on Controller’s behalf under this DPA after the end of the provision of Services and delete any existing copies unless applicable European Union or Member State law requires Processor to retain such personal data.
Appears in 1 contract
Samples: Data Processing Agreement
Obligations of Processor. 5.1 Processor shall ensure that all persons authorised authorized by Processor to process personal data on behalf of Controller, particularly personnel of Processor or any Subprocessor, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.2 Before processing personal data to provide the Services, Processor shall implement the following technical and organisational organizational measures: xxx.xxxxxxxxxx.xxx/xxx-xxxx. Processor may amend the technical and organisational organizational measures from time to time provided that the amended technical and organisational organizational measures are not less protective than those in place as of date that the Parties concluded this DPA.
5.3 Processor shall make available to Controller all information necessary to demonstrate compliance with the obligations in the Applicable Data Protection LawGDPR Article 28. The Parties agree that this information obligation is met by providing Controller with an audit report upon request. To the extent additional audit activities are required by Applicable Data Protection Law, Controller may request inspections conducted by Controller or another auditor mandated by Controller. An Such on-site audit must:
(a) be limited to processing facilities and personnel of Processor involved in the processing activities covered by this DPA;
(b) occur no more than once annually or as required by Applicable Data Protection Law or by a competent supervisory authority or immediately after a material personal data breach affecting personal data processed by Processor under this DPA; and
(c) may occur only during regular business hours, after reasonable prior notice, in accordance with Processor's security policies and without substantially disrupting Processor's business operations. Each Party shall bear its own costs arising out of or in connection with the on-site audit at Controller and Processor. Controller shall create an audit report summarising summarizing the findings and observations of the on-site audit. All audit reports are confidential information of Processor and shall not be disclosed to third parties unless required by Applicable Data Protection Law or with Processor's consent.
5.4 Processor shall notify Controller without undue delay:
(a) about any legally binding request for disclosure of the personal data by a law enforcement authority, unless otherwise prohibited, such as by a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
(b) if applicable EU law, Member State law or other Applicable Data Protection Law to which Processor or Subprocessor is subject requires Processor or Subprocessor to process the personal data beyond Controller’s instructions, before performing such processing, unless that applicable European Union law, Member State law or other Applicable Data Protection Law prohibits such informationinformation on important grounds of public interest. In this case Processor’s notification to Controller must specify the applicable legal requirement; and
(c) after Processor has documented reason to believe that a personal data breach has occurred at Processor or at Subprocessors that may affect the personal data of Controller covered by this DPA. In this case, Processor shall assist Controller with Controller's obligation under Applicable Data Protection Law to inform the data subjects and the supervisory authorities, as applicable, by providing information in accordance with to GDPR Article 33 (3) or other Applicable Data Protection Law as available to Processor. Processor shall implement remediation measure to prevent future breaches.
5.5 Processor shall take commercially reasonable measures to provide necessary information and assist Controller with its obligation to carry out a data protection impact assessment or prior consultation in relation to the Services as may be required by Applicable Data Protection LawGDPR Article 35 or 36. Processor must provide such assistance only if Controller cannot meet its obligation through other means.
5.6 At the choice of Controller, Processor shall delete or return to Controller all personal data (including any data storage media) processed on Controller’s behalf under this DPA after the end of the provision of Services and delete any existing copies unless applicable European Union or Member State law requires Processor to retain such personal data.
Appears in 1 contract
Samples: Order Form for Services
Obligations of Processor. 5.1 Processor shall ensure that all persons authorised authorized by Processor to process personal data on behalf of Controller, particularly personnel of Processor or any Subprocessor, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.2 Before processing personal data to provide the Services, Processor shall implement the following technical and organisational organizational measures: xxx.xxxxxxxxxx.xxx/xxx-xxxx. Processor may amend the technical and organisational organizational measures from time to time provided that the amended technical and organisational organizational measures are not less protective than those in place as of date that the Parties concluded this DPA.
5.3 Processor shall make available to Controller all information necessary to demonstrate compliance with the obligations in the Applicable Data Protection LawGDPR Article 28. The Parties agree that this information obligation is met by providing Controller with an audit report upon request. To the extent additional audit activities are required by Applicable Data Protection Law, Controller may request inspections conducted by Controller or another auditor mandated by Controller. An Such on-site audit must:
(a) be limited to processing facilities and personnel of Processor involved in the processing activities covered by this DPA;
(b) occur no more than once annually or as required by Applicable Data Protection Law or by a competent supervisory authority or immediately after a material personal data breach affecting personal data processed by Processor under this DPA; and
(c) may occur only during regular business hours, after reasonable prior notice, in accordance with Processor's security policies and without substantially disrupting Processor's business operations. Each Party shall bear its own costs arising out of or in connection with the on-site audit at Controller and Processor. Controller shall create an audit report summarising summarizing the findings and observations of the on-site audit. All audit reports are confidential information of Processor and shall not be disclosed to third parties unless required by Applicable Data Protection Law or with Processor's consent.
5.4 Processor shall notify Controller without undue delay:
(a) about any legally binding request for disclosure of the personal data by a law enforcement authority, unless otherwise prohibited, such as by a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
(b) if applicable EU law, Member State law or other Applicable Data Protection Law to which Processor or Subprocessor is subject requires Processor or Subprocessor to process the personal data beyond Controller’s instructions, before performing such processing, unless that applicable European Union law, Member State law or other Applicable Data Protection Law prohibits such informationinformation on important grounds of public interest. In this case Processor’s notification to Controller must specify the applicable legal requirement; and
(c) after Processor has documented reason to believe that a personal data breach has occurred at Processor or at Subprocessors that may affect the personal data of Controller covered by this DPA. In this case, Processor shall assist Controller with Controller's obligation under Applicable Data Protection Law to inform the data subjects and the supervisory authorities, as applicable, by providing information in accordance with Applicable Data Protection Law as available to Processor. Processor shall implement remediation measure to prevent future breaches.
5.5 Processor shall take commercially reasonable measures to provide necessary information and assist Controller with its obligation to carry out a data protection impact assessment or prior consultation in relation to the Services as may be required by Applicable Data Protection Law. Processor must provide such assistance only if Controller cannot meet its obligation through other means.
5.6 At the choice of Controller, Processor shall delete or return to Controller all personal data (including any data storage media) processed on Controller’s behalf under this DPA after the end of the provision of Services and delete any existing copies unless applicable law requires Processor to retain such personal data.GDPR Article 33
Appears in 1 contract
Samples: Software Subscription License and Cloud Services Agreement