Obligations of the Processor. 5.1. The Processor undertakes to: 5.1.1. Process the Processed Data for the sole purpose of performing the Services, subject to the limits and in the manner provided for by the Agreement between Controller and Processor for the provision of such Services, this DPA and the Data Protection Law, and in strict compliance with the written instructions given by the Controller, and shall immediately inform in writing the Controller should it deem that any of the aforesaid instructions is in breach of the Data Protection Law or, in general, of any applicable law; 5.1.2. Process exclusively the Processed Data that is strictly necessary for correctly and fully performing the Service or meeting the obligations provided for by Data Protection Law or other applicable law; 5.1.3. Process the Processed Data lawfully, fairly and in full compliance with the principles applicable to data processing, with the requirements laid down by the Data Protection Law and the information on the processing of the Processed Data provided to the relevant data subjects by the Controller; 5.1.4. Assist and cooperate, within a reasonable manner, with the Controller whenever required under the processing of the Processed Data, namely if it suspects of any data breach that could undermine the availability, integrity, privacy and/or security of the Processed Data; 5.1.5. Inform the Controller of any restriction required to the processing of any Processed Data, regardless if required by a Data Subject or instructed by a relevant data protection supervisory authority, unless if prohibited by law; 5.1.6. Keep the Controller up to date about the Processed Data or any other relevant information, namely about any notification or request for information from a relevant data supervisory authority; 5.1.7. Cooperate with and assist the Controller in the response to any notifications from a supervisory authority in connection with the Processed Data, including, without limitation, the provision of supporting documentation to be submitted to the relevant supervisory authority as evidence that the Processor is legally bound by the terms of this DPA; 5.1.8. Provide to the Controller, upon request, all the information in its possession or control referring to the processing of the Processed Data under this DPA, namely for the latter to assess whether such processing is carried out in accordance with this DPA. 5.1.9. Disclose the information reasonably required by the Controller for the performance of privacy impact assessments concerning the processing activities and cooperate on the implementation of mitigation actions agreed by the Parties to address privacy risks which may have been identified. 5.1.10. Permit, provide information for and cooperate with the Controller regarding audits, including any inspections conducted by the Controller or another auditor mandated by the Controller. 5.2. With regard to the Persons in Charge of Data Processing, the Processor further undertakes to: 5.2.1. guarantee that the Persons in Charge of Data Processing can access and process only the Processed Data that is strictly necessary for correctly and fully performing the Services or meeting the legal requirements, in each case, subject to the limits and in accordance with the conditions of this DPA, the principal agreement between Controller and Processor for the provision of the Services and the Data Protection Law; 5.2.2. guarantee that the Persons in Charge of Data Processing are subject to confidentiality undertakings or professional or statutory obligations of confidentiality; 5.2.3. consent that the Processed Data are processed only by the Persons in Charge of Data Processing who (i) on the basis of their experience, capabilities and training, can ensure compliance with the Data Protection Law and need to access the data for the purpose of performing the Service; (ii) attended periodically training courses on the obligations prescribed by the Data Protection Law. 5.2.4. adopt any physical, technical and organizational measure aimed at enabling: 5.2.4.1. each Person in Charge of Data Processing to access exclusively the Processed Data that he/she is authorized to process, by taking into account the activity that he/she is required to carry out to perform the Service; 5.2.4.2. any processing of the Processed Data that is in breach of the DPA and/or the Data Protection Law to be promptly identified and reported to the Controller; and 5.2.4.3. upon termination of the Services and, with respect to each Person in Charge of Data Processing, upon termination of the appointment of such Person in Charge of Data Processing, including, without limitation, when the employment or collaboration relationship between the Person in Charge of Data Processing and the relevant Processor or Sub-Processor is terminated, ensure total confidentiality, availability and integrity of the Processed Data.
Appears in 2 contracts
Obligations of the Processor. 5.1. The Processor undertakes to:
5.1.1. Process the Processed Data for the sole purpose of performing the Services, subject to the limits and in the manner provided for by the Agreement between Controller and Processor for the provision of such Services, this DPA and the Data Protection Law, and in strict compliance with the written instructions given by the Controller, Controller and shall immediately inform in writing the Controller should it deem that any of the aforesaid instructions is in breach of the Data Protection Law or, in general, of any applicable law;
5.1.2. Process exclusively the Processed Data that is strictly necessary for correctly and fully performing the Service or meeting the obligations provided for by Data Protection Law or other applicable law;
5.1.3. Process the Processed Data lawfully, fairly and in full compliance with the principles applicable to data processing, with the requirements laid down by the Data Protection Law and the information on the processing of the Processed Data provided to the relevant data subjects by the Controller;
5.1.4. Assist and cooperate, within a reasonable manner, with the Controller whenever required under the processing of the Processed Data, namely if it suspects of any data breach that could undermine the availability, integrity, privacy and/or security of the Processed Data;
5.1.5. Inform the Controller of any restriction required to the processing of any Processed Data, regardless if required by a Data Subject or instructed by a relevant data protection supervisory authority, unless if prohibited by law;
5.1.6. Keep the Controller up to date about the Processed Data or any other relevant information, namely about any notification or request for information from a relevant data supervisory authority;
5.1.7. Cooperate with and assist the Controller in the response to any notifications from a supervisory authority in connection with the Processed Data, including, without limitation, the provision of supporting documentation to be submitted to the relevant supervisory authority as evidence that the Processor is legally bound by the terms of this DPA;
5.1.8. Provide to the Controller, upon request, all the information in its possession or control referring to the processing of the Processed Data under this DPA, namely for the latter to assess whether such processing is carried out in accordance with this DPA.;
5.1.9. Disclose the information reasonably required by the Controller for the performance of privacy impact assessments concerning the processing activities and cooperate on the implementation of mitigation actions agreed by the Parties to address privacy risks which may have been identified.; and
5.1.10. Permit, provide information for and cooperate with the Controller regarding audits, including any inspections conducted by the Controller or another auditor mandated by the Controller.
5.2. With regard to the Persons in Charge of Data Processing, the Processor further undertakes to:
5.2.1. guarantee that the Persons in Charge of Data Processing can access and process only the Processed Data that is strictly necessary for correctly and fully performing the Services or meeting the legal requirements, in each case, subject to the limits and in accordance with the conditions of this DPA, the principal agreement between Controller and Processor for the provision of the Services and the Data Protection Law;
5.2.2. guarantee that the Persons in Charge of Data Processing are subject to confidentiality undertakings or professional or statutory obligations of confidentiality;
5.2.3. consent that the Processed Data are processed only by the Persons in Charge of Data Processing who
who (i) on the basis of their experience, capabilities and training, can ensure compliance with the Data Protection Law and need to access the data for the purpose of performing the Service;
; and (ii) attended periodically training courses on the obligations prescribed by the Data Protection Law.;
5.2.4. adopt any physical, technical and organizational measure aimed at enabling:
5.2.4.1. each Person in Charge of Data Processing to access exclusively the Processed Data that he/she is authorized to process, by taking into account the activity that he/she is required to carry out to perform the Service;
5.2.4.2. any processing of the Processed Data that is in breach of the DPA and/or the Data Protection Law to be promptly identified and reported to the Controller; and
5.2.4.3. upon termination of the Services and, with respect to each Person in Charge of Data Processing, upon termination of the appointment of such Person in Charge of Data Processing, including, without limitation, when the employment or collaboration relationship between the Person in Charge of Data Processing and the relevant Processor or Sub-Processor is terminated, ensure total confidentiality, availability and integrity of the Processed Data.
Appears in 2 contracts
Obligations of the Processor. 5.11. The Processor undertakes to process the data only for the purpose and to the extent set out in this agreement.
2. The Processor will keep records of the persons authorised to process data, including those having access to IT systems in which data are processed.
3. The Processor undertakes not to disclose information about data to unauthorised persons, in particular in respect of the protection and security measures applied in relation to the data by the Processor or by the Data Controller.
4. If necessary, the Data Controller may provide the Processor with detailed recommendations on the processing of data in accordance with this agreement, in particular applicable to data protection, and the Processor must immediately comply with the Data Controller’s recommendations.
5. As far as possible, the Processor will provide assistance to the Data Controller to the extent necessary to respond to requests of the data subject and to comply with the obligations set forth in Articles 32 to 36 GDPR.
6. The Processor undertakes to:
5.1.1. Process the Processed Data for the sole purpose of performing the Services, subject to the limits and in the manner provided for by the Agreement between Controller and Processor for the provision of such Services, this DPA and 1) provide the Data Protection Law, and in strict compliance with the written instructions given by the Controller, and shall immediately inform in writing the Controller should it deem that any of the aforesaid instructions is in breach at each request of the Data Protection Law orController, with all the information necessary to prove that the Processor complies with the obligations resulting from provisions governing the protection of personal data (in generalparticular GDPR), within 7 days of any applicable lawthe date of receipt of the request;
5.1.2. Process exclusively the Processed Data that is strictly necessary for correctly and fully performing the Service or meeting the obligations provided for by Data Protection Law or other applicable law;
5.1.3. Process the Processed Data lawfully2) immediately, fairly and in full compliance with the principles applicable to data processing, with the requirements laid down by inform the Data Protection Law Controller of the following in an effective manner:
a) in each case of a data protection breach, i.e. any situation that constitutes a breach of provisions on personal data protection or this agreement, especially those that may result in the Data Controller’s or Processor’s liability under applicable legal provisions (including violation of data confidentiality or their misuse), however, not later than within 24 hours after the discovery of the event. The notification should be made electronically to the following email addresses: ................................................ and describe the nature of the breach and the information on the processing categories of the Processed Data provided data concerned,
b) any legitimate request for data to be made available to the relevant competent public authority,
c) any request received directly from the data subjects by the Controller;
5.1.4. Assist and cooperate, within a reasonable manner, subject with the Controller whenever required under the processing of the Processed Data, namely if it suspects of any data breach that could undermine the availability, integrity, privacy and/or security of the Processed Data;
5.1.5. Inform the Controller of any restriction required regard to the processing of any Processed Datahis/her data, regardless if required by a Data Subject or instructed by a relevant data protection supervisory authoritywhile refraining from responding to the request, unless if prohibited by law;
5.1.6. Keep the Controller up authorised to date about the Processed Data or any other relevant information, namely about any notification or request for information from a relevant data supervisory authority;
5.1.7. Cooperate with and assist the Controller in the response to any notifications from a supervisory authority in connection with the Processed Data, including, without limitation, the provision of supporting documentation to be submitted to the relevant supervisory authority as evidence that the Processor is legally bound do so by the terms of this DPA;Data Controller,
5.1.8. Provide to the Controllerd) any proceedings, upon requestin particular administrative or judicial proceedings, all the information in its possession or control referring to concerning the processing of the Processed Data under this DPA, namely for the latter to assess whether such processing is carried out in accordance with this DPA.data,
5.1.9. Disclose the information reasonably required by the Controller for the performance of privacy impact assessments e) any administrative decision or a judgement concerning the processing activities of data, addressed to the Processor, as well as of any planned (as far as known) or performed audits and cooperate on inspections concerning the implementation processing of mitigation actions agreed data, in particular those carried out by the Parties to address privacy risks which may have been identifiedPresident of the Office for Personal Data Protection.
5.1.107. PermitThe Processor will enable authorised employees of the Data Controller to perform checks in the form of a personal data protection and security audit during the Processor’s working hours, provide information for in respect of compliance of the processing with GDPR and provisions of this agreement.
8. The Processor must cooperate with the Controller regarding audits, including any inspections conducted by Data Controller’s employees in the Controller or another auditor mandated by the Controllercheck-related activities referred to in Clause 7.
5.29. With regard The Processor makes available to the Persons in Charge of Data Processing, Controller all the Processor further undertakes to:
5.2.1. guarantee that the Persons in Charge of Data Processing can access and process only the Processed Data that is strictly necessary for correctly and fully performing the Services or meeting the legal requirements, in each case, subject to the limits and in accordance with the conditions of this DPA, the principal agreement between Controller and Processor for the provision of the Services and the Data Protection Law;
5.2.2. guarantee that the Persons in Charge of Data Processing are subject to confidentiality undertakings or professional or statutory obligations of confidentiality;
5.2.3. consent that the Processed Data are processed only by the Persons in Charge of Data Processing who
(i) on the basis of their experience, capabilities and training, can ensure compliance with the Data Protection Law and need to access the data for the purpose of performing the Service;
(ii) attended periodically training courses on the obligations prescribed by the Data Protection Law.
5.2.4. adopt any physical, technical and organizational measure aimed at enabling:
5.2.4.1. each Person in Charge of Data Processing to access exclusively the Processed Data that he/she is authorized to process, by taking into account the activity that he/she is required to carry out to perform the Service;
5.2.4.2. any processing of the Processed Data that is in breach of the DPA and/or the Data Protection Law to be promptly identified and reported to the Controller; and
5.2.4.3. upon termination of the Services and, with respect to each Person in Charge of Data Processing, upon termination of the appointment of such Person in Charge of Data Processing, including, without limitation, when the employment or collaboration relationship between the Person in Charge of Data Processing and the relevant Processor or Sub-Processor is terminated, ensure total confidentiality, availability and integrity of the Processed Data.information
Appears in 1 contract
Samples: Personal Data Processing Agreement
Obligations of the Processor. 5.11. The Processor undertakes hereby declares that they have the infrastructure, resources, experience, knowledge and qualified personnel, to the extent enabling the proper performance of the Agreement, in accordance with applicable law. In particular, the Processor declares that they are familiar with the principles of processing and securing personal data resulting from:
1) GDPR;
2) the applicable national regulations.
2. The Processor is obliged to:
5.1.1. Process 1) process entrusted personal data only on the Processed Data for the sole purpose basis of performing the Services, subject to the limits and in the manner provided for by the Agreement between and process the personal data only on documented instructions from the Controller and unless required to do so by Union or Member State law to which the Processor for is subject. In a situation where the provision Processor's obligation to process personal data results from legal provisions, the Processor shall inform the Controller by electronic means - before processing - of that legal requirement, unless that law prohibits such Servicesinformation on important grounds of public interest;
2) process entrusted personal data in accordance with the Regulation, this DPA regulations adopted to enable the Regulation to be applied, other applicable legal provisions, the Agreement and the Data Protection Law, and in strict compliance with the written instructions given by the Controller, and shall immediately inform in writing the Controller should it deem that any of the aforesaid instructions is in breach of the Data Protection Law or, in general, of any applicable law;
5.1.2. Process exclusively the Processed Data that is strictly necessary for correctly and fully performing the Service or meeting the obligations provided for by Data Protection Law or other applicable law;
5.1.3. Process the Processed Data lawfully, fairly and in full compliance with the principles applicable to data processing, with the requirements laid down by the Data Protection Law and the information on the processing of the Processed Data provided to the relevant data subjects by the Controller;
5.1.4. Assist 3) process personal data entrusted to them with the exception of the highest principles of security and cooperateprotection of personal data required by applicable law, within a reasonable mannerincluding in particular those required by the provisions of the GDPR;
4) assign access to entrusted personal data only to persons who, due to the scope of their tasks, have been authorised by the Processor to process them, and committed themselves to confidentiality of data processed during and after termination of employment with the Controller whenever required under the processing of the Processed Data, namely if it suspects of any data breach that could undermine the availability, integrity, privacy and/or security of the Processed Data;
5.1.5. Inform the Controller of any restriction required to the processing of any Processed Data, regardless if required by a Data Subject or instructed by a relevant data protection supervisory authority, unless if prohibited by law;
5.1.6. Keep the Controller up to date about the Processed Data or any other relevant information, namely about any notification or request for information from a relevant data supervisory authority;
5.1.7. Cooperate with and assist the Controller in the response to any notifications from a supervisory authority in connection with the Processed Data, including, without limitation, the provision of supporting documentation to be submitted to the relevant supervisory authority as evidence that the Processor is legally bound by the terms of this DPA;
5.1.8. Provide to the Controller, upon request, all the information in its possession or control referring to the processing of the Processed Data under this DPA, namely for the latter to assess whether such processing is carried out in accordance with this DPA.
5.1.9. Disclose the information reasonably required by the Controller for the performance of privacy impact assessments concerning the processing activities and cooperate on the implementation of mitigation actions agreed by the Parties to address privacy risks which may have been identified.
5.1.10. Permit, provide information for and cooperate with the Controller regarding audits, including any inspections conducted by the Controller or another auditor mandated by the Controller.
5.2. With regard to the Persons in Charge of Data Processing, the Processor further undertakes to:
5.2.1. guarantee that the Persons in Charge of Data Processing can access and process only the Processed Data that is strictly necessary for correctly and fully performing the Services or meeting the legal requirements, in each case, subject to the limits and in accordance with the conditions of this DPA, the principal agreement between Controller and Processor for the provision of the Services and the Data Protection Law;
5.2.2. guarantee that the Persons in Charge of Data Processing are subject to confidentiality undertakings or professional or statutory obligations of confidentiality;
5.2.3. consent that the Processed Data are processed only by the Persons in Charge of Data Processing who
(i) on the basis of their experience, capabilities and training, can ensure compliance with the Data Protection Law and need to access the data for the purpose of performing duties resulting from the ServiceAgreement;
5) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of violating the rights or freedoms of individuals whose personal data will be processed under the Agreement (iiArticle 32 of the GDPR) attended periodically training courses on and ensure the obligations prescribed implementation of principles of data protection by design and data protection by default (specified in Article 25 of the GDPR);
6) maintain documentation describing the processing of data by the Data Protection Law.Processor , including, in particular, the record of processing activities (Article 30 of the GDPR);
5.2.47) immediately, and no later than within 24 hours, inform the Controller of any suspected violation of personal data protection;
8) support the Controller in the performance of the duties specified in art. adopt any physical, 32- 36 GDPR;
9) support the Controller (through the application of appropriate technical and organizational measure aimed at enabling:
5.2.4.1. each Person organisational measures) in Charge the fulfilment of Data Processing the obligation to access exclusively respond to requests of data subjects in the Processed Data that he/she is authorized to process, by taking into account exercise of their rights set out in Chapter III of the activity that he/she is required to carry out to perform the ServiceRegulation;
5.2.4.2. any processing of the Processed Data that is in breach of the DPA and/or the Data Protection Law to be promptly identified and reported 10) make available to the Controller; and, at their request, no later than within 30 working days, all information necessary to demonstrate compliance of the Processor with the obligations laid down in the applicable law, in particular the Regulation, including information on the safeguards used, identified threats and incidents in the area of personal data protection;
5.2.4.3. 11) immediately inform the Controller if, in their opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions;
12) immediately, but no later than within 10 business days, inform (if it does not lead to violation of the applicable law) the Controller of any proceedings, in particular administrative or judicial, concerning the processing of personal data by the Processor, any administrative decision or a judgment regarding the processing of data addressed to the Processor, of any controls and inspections regarding the processing of personal data by the Processor, in particular those carried out by the supervisory authority, as well as any complaints from data subjects related to the processing of their personal data;
13) store personal data only as long as the Controller has designated it, and also, without unnecessary delay, update, correct, modify, anonymise, restrict the processing or deletion of personal data in accordance with the instructions of the Controller (if such action would cause inability to continue to implement processing activities, the Processor will inform the Controller before it is taken and then follow the instructions of the Controller);
14) return or delete in a permanent manner, upon the termination, expiration or termination of this Agreement, all personal data provided by the Services andController and delete existing copies, with respect to each Person in Charge of Data Processing, upon termination unless Union or Member State law requires storage of the appointment personal data (costs of such Person in Charge return or destruction of Data Processing, including, without limitation, when personal data and copies thereof bears the employment or collaboration relationship between the Person in Charge of Data Processing and the relevant Processor or Sub-Processor is terminated, ensure total confidentiality, availability and integrity of the Processed DataProcessor).
Appears in 1 contract
Samples: Data Processing Agreement
Obligations of the Processor. 5.1. The Processor undertakes to:
5.1.1. Process the Processed Data for the sole purpose of performing the Services, subject to the limits and in the manner provided for by the Agreement between Controller and Processor for the provision of such Services, this DPA and the Data Protection Law, and in strict compliance with the written instructions given by the Controller, Controller and shall immediately inform in writing the Controller should it deem that any of the aforesaid instructions is in breach of the Data Protection Law or, in general, of any applicable law;
5.1.2. Process exclusively the Processed Data that is strictly necessary for correctly and fully performing the Service or meeting the obligations provided for by Data Protection Law or other applicable law;
5.1.3. Process the Processed Data lawfully, fairly and in full compliance with the principles applicable to data processing, with the requirements laid down by the Data Protection Law and the information on the processing of the Processed Data provided to the relevant data subjects by the Controller;
5.1.4. Assist and cooperate, within a reasonable manner, with the Controller whenever required under the processing of the Processed Data, namely if it suspects of any data breach that could undermine the availability, integrity, privacy and/or security of the Processed Data;
5.1.5. Inform the Controller of any restriction required to the processing of any Processed Data, regardless if required by a Data Subject or instructed by a relevant data protection supervisory authority, unless if prohibited by law;
5.1.6. Keep the Controller up to date about the Processed Data or any other relevant information, namely about any notification or request for information from a relevant data supervisory authority;
5.1.7. Cooperate with and assist the Controller in the response to any notifications from a supervisory authority in connection with the Processed Data, including, without limitation, the provision of supporting documentation to be submitted to the relevant supervisory authority as evidence that the Processor is legally bound by the terms of this DPA;
5.1.8. Provide to the Controller, upon request, all the information in its possession or control referring to the processing of the Processed Data under this DPA, namely for the latter to assess whether such processing is carried out in accordance with this DPA.
5.1.9. Disclose the information reasonably required by the Controller for the performance of privacy impact assessments concerning the processing activities and cooperate on the implementation of mitigation actions agreed by the Parties to address privacy risks which may have been identified.
5.1.10. Permit, provide information for and cooperate with the Controller regarding audits, including any inspections conducted by the Controller or another auditor mandated by the Controller.
5.2. With regard to the Persons in Charge of Data the Processing, the Processor further undertakes to:
5.2.1. guarantee that the Persons in Charge of Data the Processing can access and process only the Processed Data that is strictly necessary for correctly and fully performing the Services or meeting the legal requirements, in each case, subject to the limits and in accordance with the conditions of this DPA, the principal agreement between Controller and Processor for the provision of the Services and the Data Protection Law;
5.2.2. guarantee that the Persons in Charge of Data the Processing are subject to confidentiality undertakings or professional or statutory obligations of confidentiality;
5.2.3. consent that the Processed Data are processed only by the Persons in Charge of Data Processing who
(i) on the basis of their experience, capabilities and training, can ensure compliance with the Data Protection Law and need to access the data for the purpose of performing the Service;
(ii) attended periodically training courses on the obligations prescribed by the Data Protection Law.;
5.2.4. adopt any physical, technical and organizational measure aimed at enabling:
5.2.4.1. each Person in Charge of Data the Processing to access exclusively the Processed Data that he/she is authorized to process, by taking into account the activity that he/she is required to carry out to perform the Service;
5.2.4.2. any processing of the Processed Data that is in breach of the DPA and/or the Data Protection Law to be promptly identified and reported to the Controller; and
5.2.4.3. upon termination of the Services and, with respect to each Person in Charge of Data the Processing, upon termination of the appointment of such Person in Charge of Data the Processing, including, without limitation, when the employment or collaboration relationship between the Person in Charge of Data Processing and the relevant Processor or Sub-Processor is terminated, ensure total confidentiality, availability and integrity of the Processed Data.
Appears in 1 contract
Samples: Data Processing Agreement