Common use of Obligations of Processor Clause in Contracts

Obligations of Processor. Processor shall: 5.1. Comply with and only act on behalf of the Controller regarding the Processing of Personal Data. 5.2. Not Process Personal Data for any other purposes other than to provide the Services to Controller. 5.3. Notify Controller, where Processor in its opinion believes that an instruction of Controller would result in a violation of applicable Data Protection Law and request Controller to withdraw, amend or confirm the relevant instruction. Pending the decision on the withdrawal, amendment or confirmation of the relevant instruction, Processor shall be entitled to suspend the implementation of the relevant instruction. 5.4. Ensure that persons authorized by Processor to Process the Personal Data on behalf of Controller are suitably informed, trained and instructed in respect of applicable Data Protection Law. 5.5. Implement the appropriate technical and organizational measures to ensure the protection of the Personal Data, according to the requirements of applicable Data Protection Law. 5.6. Notify to Controller any Data Subjects’ rights request within 103 days of its reception, to the email address shown in the heading of this DPA, without responding to that request, for the fulfillment of Controller’s obligation to respond to requests for exercising Data Subjects’ rights concerning information, access, rectification and erasure, restriction of Processing, data portability, objection and automated decision-making. For avoidance of doubt, it is the sole responsibility of Data Controller to enable any Data Subject to execute these such rights. 5.7. Make available to Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and in Art. 28 GDPR and Data Protection Laws. 5.8. Notify Controller, to the email address shown in the heading of this DPA, without within 32 hours after Processor becomes aware of a Personal Data Breach at Processor or its Subprocessors, unless it is unlikely to result in a risk to the rights and freedoms of natural persons. In case of such Personal Data Breach, Processor will assist Controller with investigating the Personal Data Breach and Controller’s obligation under Data Protection Law to inform the Data Subjects and the supervisory authorities, as applicable, and to document the Personal Data Breach. 5.9. Assist Controller with any data protection impact assessment and with prior consultation, if any, that relate to the Services provided by Processor to Controller and the Personal Data Processed on behalf of Controller.

Appears in 2 contracts

Samples: Terms of Service, Terms of Service

AutoNDA by SimpleDocs

Obligations of Processor. Processor shall: 5.1. Comply with and only act on behalf of the Controller regarding the Processing of Personal Data. 5.2. Not Process MentorcliQ shall treat Personal Data for any other purposes other than to provide the Services to Controller. 5.3. Notify Controller, where Processor in its opinion believes that an instruction of Controller would result in a violation of applicable Data Protection Law as Confidential Information and request Controller to withdraw, amend or confirm the relevant instruction. Pending the decision on the withdrawal, amendment or confirmation of the relevant instruction, Processor shall be entitled to suspend the implementation of the relevant instruction. 5.4. Ensure that persons authorized by Processor to only Process the Personal Data on behalf of and in accordance with Controller’s documented instructions for the following purposes: (a) Processing in accordance with the Agreement and applicable Order Form(s) or Statement(s) of Work; (b) Processing initiated by Data Subjects in their use of the Services; and (c) Processing t o comply with other documented reasonable instructions provided by Controller (e.g., via email) where such instructions are suitably informed, trained consistent with the terms of the Agreement and instructed in respect of applicable Data Protection Law. 5.5otherwise lawful. Implement Processor shall take the appropriate technical and organizational measures to ensure the protection of the adequately protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, according described under Schedule 2 to the requirements of applicable Data Protection Law. 5.6Standard Contractual Clauses. Notify to Controller any Data Subjects’ rights request within 103 days of its reception, to Processor will facilitate Controller’s compliance with the email address shown in the heading of this DPA, without responding to that request, for the fulfillment of Controller’s obligation to respond implement security measures with respect to requests for exercising Personal Data (including if applicable Controller’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR), by implementing and maintaining the security measures described under Annex II, complying with the terms relation to Personal Data Breaches below; and providing the Controller with information in relation to the Processing in accordance with Section 5 (Audits). Processor shall ensure that any personnel whom Processor authorizes to process Personal Data on its behalf has received appropriate training on their responsibilities and is subject to confidentiality obligations with respect to that Personal Data. The undertaking to confidentiality shall continue after the termination of the Agreement. Processor shall ensure that its access to the Personal Data is limited to those personnel performing Services in accordance with the Agreement. Processor will notify the Controller within 48 hours after it becomes aware of any of any Personal Data Breach affecting any Personal Data. Processor will provide the Controller with all reasonable assistance necessary to enable the Controller to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects’ rights concerning information, access, rectification and erasure, restriction of Processing, data portability, objection and automated decisionif Controller is required to do so under the Data Protection Law. Processor shall be entitled to engage Sub-makingProcessors to fulfil Processor’s obligations defined in the Agreement only with Controller’s written consent. For these purposes, Controller consents to the engagement as sub-Processors of Processor’s affiliated companies and the third parties listed in Annex III. For the avoidance of doubt, it is the sole responsibility of Data Controller to enable any Data Subject to execute these such rights. 5.7. Make available to Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and in Art. 28 GDPR and Data Protection Laws. 5.8. Notify above authorization constitutes Controller, ’s prior written consent to the email address shown in Sub- Processing by Processor for purposes of Clause 7.7 of the heading of this DPA, without within 32 hours after Standard Contractual Clauses. Where Processor becomes aware of a Personal Data Breach at Processor or its Subprocessors, unless it is unlikely to result in a risk to the rights and freedoms of natural persons. In case of such Personal Data Breachengages Sub-Processors, Processor will assist enter into a contract with the Sub-Processor that imposes on the Sub-Processor the same obligations that apply to Processor under this DPA. Where the Sub-Processor fails to fulfil its data protection obligations, Processor will remain liable to the Controller for the performance of such Sub-Processors obligations. Controller acknowledges and agrees that, in connection with investigating the performance of the Services under the Agreement, Personal Data Breach will be transferred to MentorcliQ in the United States, unless otherwise specified in applicable Order Form(s) or Statement(s) of Work. MentorcliQ. Is a part of the EU-U.S. and Controller’s obligation under Swiss-U.S. Privacy Shield Frameworks, in order to implement appropriate safeguards for such transfers pursuant to Article 46 of the GDPR. The Standard Contractual Clauses at Schedule 2 will apply with respect to Personal Data that is transferred outside the EEA, either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the Data Protection Law Law). Other than to inform the extent required to comply with Data Subjects Protection Law, following termination or expiry of the Agreement, Processor will return data to the Controller in a mutually agreeable format (e.g. .csv flat-file) and the supervisory authorities, as applicable, and to document the delete all Personal Data Breach(including copies thereof) Processed pursuant to this DPA. 5.9. Assist Controller with any data protection impact assessment and with prior consultation, if any, that relate to the Services provided by Processor to Controller and the Personal Data Processed on behalf of Controller.

Appears in 1 contract

Samples: Data Processing Addendum

Obligations of Processor. Processor shall: 5.1. Comply with and only act on behalf of the Controller regarding the Processing of Personal Data. 5.2. Not Process MentorcliQ shall treat Personal Data for any other purposes other than to provide the Services to Controller. 5.3. Notify Controller, where Processor in its opinion believes that an instruction of Controller would result in a violation of applicable Data Protection Law as Confidential Information and request Controller to withdraw, amend or confirm the relevant instruction. Pending the decision on the withdrawal, amendment or confirmation of the relevant instruction, Processor shall be entitled to suspend the implementation of the relevant instruction. 5.4. Ensure that persons authorized by Processor to only Process the Personal Data on behalf of and in accordance with Controller’s documented instructions for the following purposes: (a) Processing in accordance with the Agreement and applicable Order Form(s) or Statement(s) of Work; (b) Processing initiated by Data Subjects in their use of the Services; and (c) Processing to comply with other documented reasonable instructions provided by Controller (e.g., via email) where such instructions are suitably informed, trained consistent with the terms of the Agreement and instructed in respect of applicable Data Protection Law. 5.5otherwise lawful. Implement Processor shall take the appropriate technical and organizational measures to ensure the protection of the adequately protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, according described under Schedule 2 to the requirements of applicable Data Protection Law. 5.6Standard Contractual Clauses. Notify to Controller any Data Subjects’ rights request within 103 days of its reception, to Processor will facilitate Controller’s compliance with the email address shown in the heading of this DPA, without responding to that request, for the fulfillment of Controller’s obligation to respond implement security measures with respect to requests for exercising Personal Data (including if applicable Controller’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR), by implementing and maintaining the security measures described under Annex II, complying with the terms relation to Personal Data Breaches below; and providing the Controller with information in relation to the Processing in accordance with Section 5 (Audits). Processor shall ensure that any personnel whom Processor authorizes to process Personal Data on its behalf has received appropriate training on their responsibilities and is subject to confidentiality obligations with respect to that Personal Data. The undertaking to confidentiality shall continue after the termination of the Agreement. Processor shall ensure that its access to the Personal Data is limited to those personnel performing Services in accordance with the Agreement. Processor will notify the Controller within 48 hours after it becomes aware of any of any Personal Data Breach affecting any Personal Data. Processor will provide the Controller with all reasonable assistance necessary to enable the Controller to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects’ rights concerning information, access, rectification and erasure, restriction of Processing, data portability, objection and automated decisionif Controller is required to do so under the Data Protection Law. Processor shall be entitled to engage Sub-makingProcessors to fulfil Processor’s obligations defined in the Agreement only with Controller’s written consent. For these purposes, Controller consents to the engagement as sub-Processors of Processor’s affiliated companies and the third parties listed in Annex III. For the avoidance of doubt, it is the sole responsibility of Data Controller to enable any Data Subject to execute these such rights. 5.7. Make available to Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and in Art. 28 GDPR and Data Protection Laws. 5.8. Notify above authorization constitutes Controller, ’s prior written consent to the email address shown in Sub- Processing by Processor for purposes of Clause 7.7 of the heading of this DPA, without within 32 hours after Standard Contractual Clauses. Where Processor becomes aware of a Personal Data Breach at Processor or its Subprocessors, unless it is unlikely to result in a risk to the rights and freedoms of natural persons. In case of such Personal Data Breachengages Sub-Processors, Processor will assist enter into a contract with the Sub-Processor that imposes on the Sub-Processor the same obligations that apply to Processor under this DPA. Where the Sub-Processor fails to fulfil its data protection obligations, Processor will remain liable to the Controller for the performance of such Sub-Processors obligations. Controller acknowledges and agrees that, in connection with investigating the performance of the Services under the Agreement, Personal Data Breach will be transferred to MentorcliQ in the United States, unless otherwise specified in applicable Order Form(s) or Statement(s) of Work. MentorcliQ. Is a part of the EU-U.S. and Controller’s obligation under Swiss-U.S. Privacy Shield Frameworks, in order to implement appropriate safeguards for such transfers pursuant to Article 46 of the GDPR. The Standard Contractual Clauses at Schedule 2 will apply with respect to Personal Data that is transferred outside the EEA, either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the Data Protection Law Law). Other than to inform the extent required to comply with Data Subjects Protection Law, following termination or expiry of the Agreement, Processor will return data to the Controller in a mutually agreeable format (e.g. .csv flat-file) and the supervisory authorities, as applicable, and to document the delete all Personal Data Breach(including copies thereof) Processed pursuant to this DPA. 5.9. Assist Controller with any data protection impact assessment and with prior consultation, if any, that relate to the Services provided by Processor to Controller and the Personal Data Processed on behalf of Controller.

Appears in 1 contract

Samples: Data Processing Addendum

Obligations of Processor. (1) The Data Processor shall: 5.1. Comply will collect, process and use Personal Data only in compliance with and only act on behalf within the scope of the Controller regarding Data Controller’s Instructions or as specified and agreed in the Processing Base Agreement. (2) Within the Data Processor’s area of responsibility, the Data Processor will structure its internal corporate organization for compliance with the specific requirements of the protection of Personal Data. 5.2. Not Process Personal Data for , established by GDPR, local data protection laws or any other purposes other than to provide applicable privacy and data protection laws and regulations currently in effect (the Services to Controller. 5.3. Notify Controller, where Processor in its opinion believes that an instruction of Controller would result in a violation of applicable Data Protection Law and request Controller to withdraw, amend or confirm the relevant instructionLaws”). Pending the decision on the withdrawal, amendment or confirmation of the relevant instruction, The Data Processor shall be entitled to suspend the implementation of the relevant instruction. 5.4. Ensure that persons authorized by Processor to Process the Personal Data on behalf of Controller are suitably informed, trained and instructed in respect of applicable Data Protection Law. 5.5. Implement will take the appropriate technical and organizational measures to ensure a level of security appropriate to the risk to the Data Controller’s Personal Data in accordance with the requirements of Article 32 GDPR. Such measures hereunder will include, but not be limited to: a) the pseudonymization and encryption of personal data where possible; b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services (logical, physical access control, transfer control); c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident (availability control); d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing. Data security measures referred to in this section above will be supported by the use of state-of-the-art encryption technology. An overview of the technical and organizational measures implemented by the Data Processor will be attached to this Agreement as an Exhibit. (3) Upon the Data Controller’s request, the Data Processor will provide all information concerning the protection of Personal Data within the Personal Data, according Data Processor’s organization in the sense of Article 32 of GDPR and will provide reasonable assistance to the requirements of applicable Data Protection Law. 5.6. Notify to Controller any Data Subjects’ rights request within 103 days of its reception, to the email address shown in the heading of this DPA, without responding to that request, for the fulfillment of Controller’s obligation to respond to requests for exercising Data Subjects’ rights concerning information, access, rectification and erasure, restriction of Processing, data portability, objection and automated decision-making. For avoidance of doubt, it is the sole responsibility of Data Controller in order to enable any Data Subject allow it to execute these such rights. 5.7. Make available to Controller all information necessary to demonstrate compliance comply with its obligations under the obligations laid down in this DPA and in Art. 28 GDPR and Data Protection Laws. 5.8(4) The Data Processor will ensure that any personnel, entrusted with Processing the Data Controller’s Personal Data have undertaken in writing to comply with the principle of data secrecy in accordance with Article 5(f) GDPR and have committed themselves to confidentiality. Notify Controller, The undertaking to secrecy will continue after the termination of the above-entitled activities. (5) The Data Processor will notify to the email address shown in Data Controller the heading contact details of this DPAthe Data Processor’s data protection Officer (if appointed) or the responsible associate, respectively. (6) The Data Processor will, without within 32 hours after Processor becomes aware undue delay, inform the Data Controller in case of a Personal Data Breach at Processor or its Subprocessors, unless it is unlikely to result in a risk to (as defined under Article 4 (12) GDPR and will investigate and provide the rights and freedoms of natural persons. In case of such Personal Data Breach, Processor will assist Controller with investigating sufficient information related to the Personal Data Breach and Controller’s will ensure reasonable cooperation in order to enable Data Controller to comply with any legal obligation under to report the Personal Data Protection Law Breach and to inform the Data Subjects and the supervisory authorities, as authority within the time frame provided in the Data Protection Laws. (7) Where applicable, the Data Controller will retain title as to any carrier media provided to the Data Processor as well as any copies or reproductions thereof. The Data Processor will store such media safely and protect them against unauthorized access by third parties. The Data Processor will, upon the Data Controller’s request, provide to document the Data Controller all information on the Data Controller’s Personal Data Breachand information. The Data Processor will be obliged to securely delete any test and scrap material, based on an Instruction issued by the Data Controller on a case-by-case basis. Where the Data Controller so decides, the Data Processor will hand over such material to the Data Controller or store it on the Data Controller’s behalf. 5.9. Assist Controller with any data protection impact assessment (8) The Data Processor will be obliged to self-audit and with prior consultation, if any, that relate verify the fulfilment of the above-entitled obligations and will maintain an adequate documentation of such verification which will be provided to the Services provided by Data Controller upon request. (9) The Data Processor to will inform the Data Controller and the without undue delay of any Personal Data Processed on behalf Breach of ControllerProcessing of Personal Data it becomes aware of.

Appears in 1 contract

Samples: Data Processing Agreement

AutoNDA by SimpleDocs

Obligations of Processor. 5.1 Processor shall:shall collect or process data only as commissioned by Controller and in compliance with the instructions of Controller, unless the Processor is required to do so by European Union or Member State law, or any other Applicable Data Protection Laws to which the Processor is subject to; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. Processor will rectify, delete or block the data processed on behalf of Controller only as instructed by Controller. If a data subject contacts Processor with a request for correction or deletion of its data, Processor shall forward the request to Controller. 5.15.2 Unless prohibited by applicable law or a legally-binding request of law enforcement, Processor shall promptly notify Controller of any request by a data protection supervisory authority, law enforcement authority or other public authority for access to or seizure of Personal Data. Comply In addition, to the extent permitted by law, Processor shall use all reasonably available measures to defend against such action or allow Controller to do so in lieu of and on behalf of Processor, and if it so chooses, seek a protective order or allow Controller to do so on Processor’s behalf. In any case, Processor shall reasonably cooperate with Controller in such defence. 5.3 Before granting access to Personal Data, Processor will oblige persons employed in processing Personal Data on data secrecy and only act confidentiality and familiarize them with the provisions as set forth in these Clauses Part B and data protection obligations applicable to them. To the extent that Processor is processing PersonalData subject to professional secrecy or other special confidentiality obligations (e.g. data subject to the secrecy of telecommunications) such obligation shall also include these specific circumstances and related obligations. 5.4 Insofar as required by Applicable Data Protection Law, Processor will appoint a data protection officer and will forward its contact details to Controller and shall without undue delay report to Controller any changes and updates during the term of this Agreement. 5.5 Processor will without undue delay notify Controller of violations of instructions or of provisions for the protection of Controller’s Personal Data by Processor or a person employed by Processor. Processor acknowledges that Controller may be obliged to document breaches of the protection of Personal Data and, if necessary, inform a supervisory authority, respectively the data subject, within 72 hours on such breach. If and insofar as it has come to such breaches, Processor will assist the Controller with compliance of its reporting obligations in a proper manner to allow for the Controller to timely perform its obligations hereunder. Processor will inform the breach to the Controller and give at least the following information if and to the extent available to Processor: (a) description of the kind of the breach, the category and the approximate amount of data subjects and datasets involved, (b) name and contact of a contact person for further information, (c) description on the probable consequences of the breach, (d) description of the taken measures in order to remedy or reduce the breach. Furthermore, Processor shall without undue delay inform Controller of serious disruptions of the normal course of operations, any suspicions of data protection violations or other irregularities in processing the data of Controller. 5.6 Processor will inform Controller of any monitoring activity of and measures taken by the supervisory authority with regard to the processing of Personal Data of the Controller. 5.7 Processor assists the Controller by appropriate technical and organisational measures, insofar as this is possible and reasonable, for the fulfilment of the Controller’s obligation towards data subjects, e.g. the information to and access of the data subjects, rectification and erasure of data, restriction of processing or the right to data portability and right to object, if applicable. 5.8 Processor assists with the preparation of a data protection impact assessment and, where appropriate, assists with the prior consultation of the supervisory authority. On Controller’s request, Processor shall disclose the required information and documents to Controller. 5.9 The Parties shall come to an agreement regarding any additional costs that are incurred in accordance with 5.7 and 5.8 above. There shall be no obligation to bear the costs for such services to be rendered by MB X which MB X is or would be obliged to perform regardless of the existence of this commissioning under statutory law. 5.10 Processor shall monitor the compliance with obligations specified above during the execution of the commissioned data processing. 5.11 Processor shall maintain a record of processing activities carried out on behalf of the Controller regarding the Processing of Personal Data. 5.2. Not Process Personal Data for any other purposes other than to provide the Services to Controller. 5.3. Notify Controller, where Processor in its opinion believes that an instruction of Controller would result in a violation of applicable Data Protection Law and request Controller to withdraw, amend or confirm the relevant instruction. Pending the decision on the withdrawal, amendment or confirmation of the relevant instruction, Processor shall be entitled to suspend the implementation of the relevant instruction. 5.4. Ensure that persons authorized by Processor to Process the Personal Data on behalf of Controller are suitably informed, trained and instructed in respect of applicable Data Protection Law. 5.5. Implement the appropriate technical and organizational measures to ensure the protection of the Personal Data, according to the requirements of applicable Data Protection Law. 5.6. Notify to Controller any Data Subjects’ rights request within 103 days of its reception, to the email address shown in the heading of this DPA, without responding to that request, for the fulfillment of Controller’s obligation to respond to requests for exercising Data Subjects’ rights concerning information, access, rectification and erasure, restriction of Processing, data portability, objection and automated decision-making. For avoidance of doubt, it is the sole responsibility of Data Controller to enable any Data Subject to execute these such rights. 5.7. Make available to Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and in Art. 28 GDPR and Data Protection Laws. 5.8. Notify Controller, to the email address shown in the heading of this DPA, without within 32 hours after Processor becomes aware of a Personal Data Breach at Processor or its Subprocessors, unless it is unlikely to result in a risk to the rights and freedoms of natural persons. In case of such Personal Data Breach, Processor will assist Controller with investigating the Personal Data Breach and Controller’s obligation under Data Protection Law to inform the Data Subjects and the supervisory authorities, as applicable, and to document the Personal Data Breach. 5.9. Assist Controller with any data protection impact assessment and with prior consultation, if any, that relate to the Services provided by Processor to Controller and the Personal Data Processed on behalf of Controller.

Appears in 1 contract

Samples: Terms of Use

Draft better contracts in just 5 minutes Get the weekly Law Insider newsletter packed with expert videos, webinars, ebooks, and more!