Common use of OBLIGATIONS OF THE DATA PROCESSOR Clause in Contracts

OBLIGATIONS OF THE DATA PROCESSOR. Data Processing 6.1 Only process the Personal Data & Special Categories of Personal Data for the purpose of providing the Services and in accordance with the Data Controller’s instructions, unless the Data Processor is required to do otherwise by law. 6.2 Only process the Personal Data & Special Categories of Personal Data only to the extent and in such a manner as is necessary for the provision of the services. 6.3 Only process the Personal Data & Special Categories of Personal Data in compliance with the Data Protection Act 2018 and the GDPR. 6.4 Assist the Data Controller in providing subject access and allowing data subjects to exercise all their other rights under the GDPR. The response to all subject information and other GDPR requests that may be received from the data subjects shall be provided within 14 days. All such requests must be received by the Data Controller and all communication with the Data Subjects must be via the Data Controller. If any requests are received by the Data Processor, the Data Subject would normally be instructed to contact the Data Controller. 6.5 Implement appropriate technical and organisational measures to protect the Personal Data, and any other Confidential Information, against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and/or other Confidential Information. As a minimum all data shall be encrypted in transit (with HTTPS via TLS 1.2 or higher) and at rest via Transparent Data Encryption (TDE);

OBLIGATIONS OF THE DATA PROCESSOR. Data Processing 6.1 Only process the Personal Data & Special Categories of Personal Data for the purpose of providing the Services and in accordance with the Data Controller’s instructions, unless the Data Processor is required to do otherwise by law. 6.2 Only process the Personal Data & Special Categories of Personal Data only to the extent and in such a manner as is necessary for the provision of the services. 6.3 Only process the Personal Data & Special Categories of Personal Data in compliance with the Data Protection Act 2018 Xxx 0000 and the GDPR. 6.4 Assist the Data Controller in providing subject access and allowing data subjects to exercise all their other rights under the GDPR. The response to all subject information and other GDPR requests that may be received from the data subjects shall be provided within 14 days. All such requests must be received by the Data Controller and all communication with the Data Subjects must be via the Data Controller. If any requests are received by the Data Processor, the Data Subject would normally be instructed to contact the Data Controller. 6.5 Implement appropriate technical and organisational measures to protect the Personal Data, and any other Confidential Information, against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and/or other Confidential Information. As a minimum all data shall be encrypted in transit (with HTTPS via TLS 1.2 or higher) and at rest via Transparent Data Encryption (TDE);