Obligations of the Service Provider. The Service Provider agrees: (a) to process the Personal Data only on behalf, and in accordance with the written instructions of Client from time to time, and in accordance with this agreement; (b) that it has no reason to believe that the legislation applicable to it (including the Regulation) prevents it from fulfilling the instructions received from Client and its obligations under the contract; (c) having regard to the state of technological development and the cost of implementing any measures, it will take appropriate technical and organisational measures against the unauthorised or unlawful processing of the personal data and against the accidental loss or destruction of, or damage to, the personal data to ensure a level of security appropriate to: (i) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and (ii) the nature of the data to be protected; and take reasonable steps to ensure compliance with those measures; (d) to ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential (e) not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled: (i) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer; (ii) the data subject has enforceable rights and effective legal remedies; (iii) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (iv) the Data Processor complies with reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data. (f) that it shall promptly notify Client about: (i) any legally binding request for the disclosure of the Personal Data by a law enforcement authority, unless otherwise prohibited, such as a prohibition under criminal law, to preserve the confidentiality of a law enforcement investigation; (ii) any accidental or unauthorised access, unlawful processing or disclosure; (iii) any complaint and/or request received directly from the Data Subjects without responding to that request, unless he has been otherwise authorised to do so; (g) to deal promptly and properly with all enquiries from Client relating to his processing of the personal data subject to the transfer and to abide by the advice of the Supervisory Authority with regard to the processing of the data transferred; and (h) maintain complete and accurate records and information to demonstrate its compliance with this clause and, at the request of Client, to submit its data processing facilities for audit of the processing activities covered by this Agreement which shall be carried out by Client or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by Client, where applicable, in agreement with the Supervisory Authority. Guaranteed Uptime levels The Platform shall have 99.9% uptime, excluding any scheduled downtime required for updates to the platform outside of normal business hours (8am-6pm Monday to Friday) Service Provider shall schedule updates outside of business hours (ie not 8am-6pm Monday to Friday) and in normal circumstances system updates shall be conducted after 8pm when no users are actively making use of the platform. Where possible, Service Provider will notify Client in advance of any planned updates and resulting scheduled downtime. Measurement and penalties Uptime is measured over each calendar month. If uptime drops below the relevant threshold, a penalty will be applied in the form of a credit for the Client. This means the following month’s fee payable by the Client will be reduced on a sliding scale as follows: 2 fee reduction for every 1% below the uptime SLA. The level of penalty will be calculated depending on the number of hours for which the service was unavailable, minus the downtime permitted by the SLA: Uptime penalties in any month are capped at 50% of the total monthly fee Provision of Client data and Client Information Client shall have access to and be able to download all matter structured data in whole or part (in CSV machine readable format) and individual documents from matters via the Platform, in accordance with the Guaranteed Uptime levels (ie 99.9% of the time). If Client requires bulk download of all or some documents from the platform, the Service Provider shall provide such documents along with reference to any structured data within 15 business days of a request from the Client, setting out the documents required (all or part). Such documents shall be made available via a secure file sharing platform or as instructed by the Client in line with Client’s security requirements. Guaranteed response times When the Client raises a support issue with Service Provider, Service Provider promises to respond in a timely fashion. Response times The response time measures how long it takes Service Provider to respond to a support request via email. Service Provider is deemed to have responded when it has replied to the Client’s initial request. This may be in the form of an email or telephone call, to either provide a solution or request further information. Response times are measured from the moment the Client submits a support request via email. Response times apply during standard working hours (9am — 6pm Monday to Friday) only, unless the contract between the Client and supplier specifically includes provisions for out of hours support. Subject to the above limitations, Service Provider shall respond to support requests within one (1) hour. Resolution times Service Provider will always endeavour to resolve problems as swiftly as possible and usually within three (3) working days . It recognises that the Client’s use of the Platform is key to its business and that any downtime can cost money. However, Service Provider is unable to provide guaranteed resolution times. This is because the nature and causes of problems can vary enormously. In all cases, Service Provider will make its best efforts to resolve problems as quickly as possible. It will also provide frequent progress reports to the Client. Exclusions Service Provider will do everything possible to rectify every issue in a timely manner. However, there are exclusions. This SLA does not apply to: ● Any Client or third party provided equipment, software, services. ● Software, equipment or services not purchased via and managed by Service Provider. Additionally, this SLA does not apply when: ● The problem has been caused by using the Service Providers equipment, software or service(s) in a way that is not recommended. ● The Client has made unauthorized changes to the configuration or set up of affected equipment, software or services. ● The Client has prevented Service Provider from performing required maintenance and update tasks or failed to respond to reasonable questions about the issue. ● The issue has been caused by unsupported devices, equipment, software or other services. This SLA does not apply in circumstances that could be reasonably said to be beyond Service Provider’s control. For instance: floods, war, acts of god, civil unrest and so on. This SLA also does not apply if the Client is in breach of its contract with Service Provider for any reason (e.g. late payment of fees, improper use, violation of terms, etc.)
Appears in 2 contracts
Samples: Software Agreement, Service Agreement
Obligations of the Service Provider. The In consideration of the HSE directly making the Information available to the Service Provider, or the Service Provider agreesotherwise acquiring the Information, the Service Provider shall:
(a) to 2.1 Not take or remove any Information from HSE premises without having received the written authorisation of the HSE. Such written authorisation must be issued in advance of the first instance and will apply thereafter;
2.2 Manage and process any Information which they acquire from the Personal Data only on behalf, and HSE in accordance with the written instructions of Client from time the HSE and the obligations of the Data Protection Acts 1988 and 2003 and (when effective) EU General Data Protection Regulation (EU Regulation No. 2016/679) and the European Communities (Electronic Communications Networks and Services) / (Privacy and Electronic Communications) Regulations 2011 in so far as these obligations apply to time, and in accordance with this agreementa data processor;
(b) that it has no reason to believe that the legislation applicable 2.3 Maintain secret and confidential all Information furnished to it (including or otherwise acquired by its servants, employees, agents, subsidiaries or sub-contractors save and to the Regulation) prevents it from fulfilling extent that such Information has been made available to the instructions received from Client public by the HSE or by any third party lawfully in possession thereof and its obligations under the contractentitled to make such disclosure without restriction;
(c) having regard 2.4 Take appropriate measures to ensure the state of technological development and the cost of implementing any measures, it will take appropriate technical and organisational measures against the unauthorised or unlawful processing reliability of the personal data and against the accidental loss Service Providers servants, employees, agents, subsidiaries or destruction of, or damage to, the personal data to ensure a level of security appropriate to: (i) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and (ii) the nature of the data to be protected; and take reasonable steps to ensure compliance with those measures;
(d) to ensure that all personnel sub-contractors who have access to and/or process Personal Data are obliged the Information; The Service Provider must be in a position to keep provide the Personal Data confidentialHSE with a named list of their servants, employees, agents, subsidiaries or sub-contractors authorised to have access to Information.
(e) not transfer 2.5 Not disclose Information to any Personal Data outside of the European Economic Area Service Provider's servants, employees, agents, subsidiaries or sub-contractors unless and only to the extent that such persons need to know such Information for the purposes of providing services in connection with the Service, and provided that such person has been made aware of the restrictions in this Agreement on the disclosure of the Information and has agreed in writing to comply with such restrictions;
2.6 Not disclose any Information to any third party without the prior written consent of the Data Controller has been obtained and HSE;
2.7 Not use the following conditions are fulfilled:
(i) Information directly or indirectly for any purpose other than in connection with the Data Controller or the Data Processor has provided appropriate safeguards in relation provision of services to the transferHSE regarding the Service;
(ii) 2.8 Not reverse engineer, de-compile or disassemble Information or attempt to use the data subject has enforceable rights and effective legal remediesInformation in any form other than machine readable object code, or allow a third party to do any of the above;
(iii) 2.9 Not make any press announcement or otherwise publicise the Data Processor complies business relationship with its obligations under the Data Protection Legislation HSE in any way including, without limitation, using the name of the HSE in any publicity material, unless authorised to do so by providing an adequate level the HSE;
2.10 Only use the Information solely for the purposes of protection fulfilling the requirements of the Service.
2.11 Implement appropriate human, organisational and technological controls to any Personal Data that is transferredprotect against accidental loss, destruction, damage, alteration, or disclosure of the Information.
2.12 Take the necessary precautions for the prevention of unauthorised access to, the
2.12.1 Keep all Information obtained from the HSE or otherwise relating to the Service separate from all documents and other records of the Service Provider;
2.12.2 Only make such copies of the Information as are necessary for the provision of services to the HSE regarding the Service; and
(iv) 2.12.3 Mark all documentation containing the Data Processor complies with reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data.
(f) that it shall promptly notify Client about:
(i) any legally binding request for the disclosure of the Personal Data by a law enforcement authority, unless otherwise prohibited, such Information as a prohibition under criminal law, to preserve the confidentiality of a law enforcement investigation;
(ii) any accidental or unauthorised access, unlawful processing or disclosure;
(iii) any complaint and/or request received directly from the Data Subjects without responding to that request, unless he has been otherwise authorised to do so;
(g) to deal promptly and properly with all enquiries from Client relating to his processing of the personal data being subject to the transfer terms of this Agreement and indicate that it is contrary to abide by the advice terms of this Agreement to copy, disclose or use in any manner or fashion such documentation without the prior written consent of the Supervisory Authority with regard to the processing of the data transferredHSE; and
2.12.4 Have all necessary access controls to include authentication and authorisation for access to Information to ensure its security and confidentiality.
2.13 Ensure all documents and other tangible objects containing or representing Information which have been disclosed by the HSE to the Service Provider, and all copies there of which are in the possession of the Service Provider, shall be returned to the HSE upon the completion of the Service. In addition, the Service Provider will confirm, in writing, at the completion of the Service that all electronic Information received from the HSE has been deleted from any of the Service Provider’s devices which store Information.
2.14 Promptly inform the HSE of any actual or suspected breach in their security which could give rise to the actual or potential loss, theft, unauthorised release or disclosure of Information or any part thereof. In such an event the Service Provider will immediately supply the HSE will all the relevant facts surrounding the actual or suspected breach.
2.15 For the purposes of Freedom of Information the Service Provider shall:
2.15.1 Procure that its servants, employees, agents, subsidiaries or sub-contractors shall assist the HSE, at no additional charge and within such timescales as the HSE may reasonably specify, in meeting any requests for Information which are made to the HSE under the Freedom of Information Xxx 0000, such assistance to include (hbut not be limited to) maintain complete and accurate records and information the provision of a copy of the requested Information.
2.15.2 Notwithstanding anything to demonstrate its compliance the contrary in this Agreement, if the HSE receives a request for Information pursuant to the Freedom of Information Xxx 0000, the HSE shall be entitled to disclose all Information (in whatever form) as is necessary to comply with this clause andthe Freedom of Information Xxx 0000.
2.15.3 If, at the request of Clientthe Service Provider, the HSE seeks to submit its data processing facilities for audit of the processing activities covered withhold Information protected by this Agreement which shall be carried out by Client and a competent authority determines, or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentialityparties subsequently agree, selected by Clientthat the Information is not exempt, where applicable, in agreement with then the Supervisory Authority. Guaranteed Uptime levels The Platform shall have 99.9% uptime, excluding any scheduled downtime required for updates to the platform outside of normal business hours (8am-6pm Monday to Friday) Service Provider shall schedule updates outside reimburse the HSE for all costs (including but not limited to legal costs) incurred by the HSE in seeking to withhold such Information from a request under the Freedom of business hours Information Xxx 0000.
2.15.4 Not (ie not 8am-6pm Monday and shall procure that its servants, employees, agents, subsidiaries or sub- contractors do not) respond directly to Fridaya request for Information under the Freedom of Information Xxx 0000 unless expressly authorised to do so by the HSE.
2.16 Ensure the security of Information stored on all fixed and mobile devices, including medical devices, desktop computers, servers and mobile computer devices (i.e. laptops, notes, tablets, personal data assistants, Blackberry enabled devices, iPads, iPhones and other smart type devices etc) and removal storage devices (i.e. CD, DVD, portable hard drives, Diskettes, ZIP disks, Magnetic tapes etc).
2.16.1 Only in normal exceptional circumstances system updates and with the written consent of the HSE, should the Service Provider hold Information on mobile computing or removable storage devices. Should the business requirements necessitate the holding of Information on such devices then the Service Provider shall be conducted ensure that only the Information absolutely necessary for their purpose is stored in this format and that the Information is held on such devices only for the minimum amount of time necessary and furthermore, after 8pm when no users are actively making such period that they will delete all Information from these devices.
2.16.2 Where the use of mobile computing or removal storage devices is a necessity then the platform. Where possible, Service Provider will notify Client take all necessary precautions to ensure the safety of these devices from theft or loss. As a minimum all mobile computing and removal storage devices must be protected by the use of strong complex passwords.
2.16.3 The Service Provider must ensure that all Information held on mobile computing and removal storage devices is secured by strong encryption. The encryption methods used must satisfy or better the requirements of the HSE Encryption Policy. (xxxx://xxx.xx/eng/services/Publications/pp/ict/Encryption_Policy.pdf) At any time during the term of this Agreement the HSE may request the Service Provider to set out in advance of any planned updates writing the current encryption measures used and resulting scheduled downtimethe Service Provider will provide this information within 5 days. Measurement and penalties Uptime is measured over each calendar month. If uptime drops below the relevant thresholdIf, a penalty will be applied in the form reasonable opinion of a credit for the Client. This means HSE, the following month’s fee payable encryption standard employed by the Client will be reduced on a sliding scale as follows:
2 fee reduction for every 1% below the uptime SLA. The level of penalty will be calculated depending on the number of hours for which the service was unavailable, minus the downtime permitted by the SLA: Uptime penalties in any month are capped at 50% of the total monthly fee Provision of Client data and Client Information Client shall have access to and be able to download all matter structured data in whole or part (in CSV machine readable format) and individual documents from matters via the Platform, in accordance with the Guaranteed Uptime levels (ie 99.9% of the time). If Client requires bulk download of all or some documents from the platformService Provider is not sufficient, the Service Provider will implement, at their expense, whatever encryption standards are proposed by the HSE. At no time should cipher keys be held on the mobile computing or removal storage device for the data which they secure. In addition, the Service Provider will at all times hold cipher keys in a secure fashion.
2.16.4 Under no circumstances encrypted or otherwise is the Service Provider sanctioned by the HSE to download or store Information on USB memory sticks/keys.
2.17 Ensure the security of the Information in transit. Where it is necessary to transfer the Information, the Service Provider must take all necessary precautions to ensure the security of the Information before, during and after transit.
2.17.1 The Service Provider shall provide such documents along ensure that all transfers of the Information are legal, justifiable, and only the minimum Information absolutely necessary for a given purpose is transferred.
2.17.2 All transfers of Information should, where possible, only take place electronically via secure on-line channels or electronic mail. Where the Service Provider transfers Information electronically, in any form and by any means, the Information must be encrypted using strong encryption. The encryption methods used must satisfy or better the requirements of the HSE Encryption Policy.
2.17.3 Where it is not possible to transfer the Information electronically, the Information may be encrypted and copied to a mobile storage device (with reference the exception of USB memory sticks/keys) and transported manually. The encryption methods used must satisfy or better the requirements of the HSE Encryption Policy. The encrypted mobile storage media, should wherever possible, be hand delivered by the Service Provider to, and be signed for by, the intended recipient. If this is not possible, the use of registered post or some other certifiable delivery method must be used.
2.18 Transfers of Information outside of the Republic of Ireland.
2.18.1 The Service Provider must seek the written consent of the HSE prior to the Service Provider sending Information outside the jurisdiction of the Republic of Ireland. The HSE may, at its discretion, prohibit the Service Provider from sending Information outside the jurisdiction of the Republic of Ireland.
2.18.2 Where the HSE has consented to the transfer of Information outside the Republic of Ireland, the Service Provider may only transfer Information to a legal entity located in:
2.18.2.1 A country within the European Economic Area;
2.18.2.2 A country outside the European Economic Area but approved for this purpose by the EU Commission;
2.18.2.3 The United States of America only when the Information transferee has agreed in writing to be bound by the EU-US Privacy Shield Framework.
2.19 If so requested by the HSE, the Service Provider shall:
2.19.1 Permit the HSE or its representatives (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Service Provider’s data processing facilities and activities (and/or those of its agents, subsidiaries and sub contractors) and comply with all reasonable requests or directions by the HSE to enable the HSE to verify and/or procure that the Service Provider is in full compliance with its obligations under this contract.
2.19.2 Make available for audit by the HSE or its representatives, (subject to reasonable and appropriate confidentiality undertakings), all staff procedures, processes and instructions that the Service Provider employ for the management of Information
2.19.3 Permit the HSE or its representatives, (subject to reasonable and appropriate confidentiality undertakings), to inspect the contracts (Model Contracts), that the service provider has in place, governing the transfer of any structured data within 15 business days of a request Information from the Client, setting out the documents required (all or part). Such documents shall be made available via a secure file sharing platform or as instructed by the Client in line with Client’s security requirements. Guaranteed response times When the Client raises a support issue with Service Provider, Service Provider promises to respond in a timely fashion. Response times The response time measures how long it takes Service Provider to respond to a support request via email. Service Provider is deemed to have responded when it has replied legal entities located outside the European Economic Area
2.19.4 Forthwith return to the Client’s initial request. This may be in the form of an email HSE (or telephone callas it directs) all written material, to either provide a solution or request further information. Response times are measured photographs, Information and documentation obtained from the moment HSE together with all copies and reproductions made by the Client submits a support request via email. Response times apply during standard working hours (9am — 6pm Monday to Friday) onlyService Provider; and
2.19.5 Forthwith destroy all notes, unless the contract between the Client memoranda and supplier specifically includes provisions for out of hours support. Subject to the above limitations, Service Provider shall respond to support requests within one (1) hour. Resolution times Service Provider will always endeavour to resolve problems as swiftly as possible and usually within three (3) working days . It recognises that the Client’s use Information kept in electronic form containing copies or abstracts of the Platform is key to its business and that any downtime can cost money. However, Service Provider is unable to provide guaranteed resolution times. This is because the nature and causes of problems can vary enormously. In all cases, Service Provider will make its best efforts to resolve problems as quickly as possible. It will also provide frequent progress reports to the Client. Exclusions Service Provider will do everything possible to rectify every issue in a timely manner. However, there are exclusions. This SLA does not apply to: ● Any Client or third party provided equipment, software, services. ● Software, equipment or services not purchased via and managed by Service Provider. Additionally, this SLA does not apply when: ● The problem has been caused by using the Service Providers equipment, software or service(s) in a way that is not recommended. ● The Client has made unauthorized changes to the configuration or set up of affected equipment, software or services. ● The Client has prevented Service Provider from performing required maintenance and update tasks or failed to respond to reasonable questions about the issue. ● The issue has been caused by unsupported devices, equipment, software or other services. This SLA does not apply in circumstances that could be reasonably said to be beyond Service Provider’s control. For instance: floods, war, acts of god, civil unrest and so on. This SLA also does not apply if the Client is in breach of its contract with Service Provider for any reason (e.g. late payment of fees, improper use, violation of terms, etc.)Information
Appears in 2 contracts
Samples: Confidentiality Agreement, Confidentiality Agreement
Obligations of the Service Provider. The 2.1 To the extent that the Service Provider agreesProcesses HSE Personal Data as a Data Processor on behalf of the HSE, the Service Provider shall:
(a) 2.1.1 Comply at all times with their obligations as a Data Processor as set out in the Data Protection Legislation and this Agreement, and not undertake any actions or permit any actions to process be undertaken on their behalf which may cause the HSE to be in breach of the Data Protection Legislation;
2.1.2 Manage and Process any HSE Personal Data only on behalf, and they acquire from the HSE solely in accordance with the written documented instructions of Client from time to timethe HSE as set out in this Agreement, and in accordance with this agreement;
(b) that it has no reason to believe that the legislation applicable to it (including the Regulation) prevents it from fulfilling the instructions received from Client and its obligations under the contract;
(c) having regard to the state of technological development and the cost of implementing any measures, it will take appropriate technical and organisational measures against the unauthorised or unlawful processing of the personal data and against the accidental loss or destruction of, or damage to, the personal data to ensure a level of security appropriate to: (i) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and (ii) the nature of the data to be protected; and take reasonable steps to ensure compliance with those measures;
(d) to ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential
(e) not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(i) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer;
(ii) the data subject has enforceable rights and effective legal remedies;
(iii) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(iv) the Data Processor complies with reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data.
(f) that it shall promptly notify Client about:
(i) any legally binding request for the disclosure of the Personal Data by a law enforcement authority, unless otherwise prohibited, such as a prohibition under criminal law, to preserve the confidentiality of a law enforcement investigation;
(ii) any accidental or unauthorised access, unlawful processing or disclosure;
(iii) any complaint and/or request received directly from the Data Subjects without responding to that request, unless he has been otherwise authorised to do so;
(g) to deal promptly and properly with all enquiries from Client relating to his processing of the personal data subject to the transfer and to abide by the advice of the Supervisory Authority with regard to the processing transfers of the data transferred; and
(h) maintain complete and accurate records and information HSE Personal Data to demonstrate its compliance with this clause and, at the request of Client, to submit its data processing facilities for audit of the processing activities covered by this Agreement which shall be carried out by Client a third country or an inspection body composed of independent members and in possession of international organisation, unless required to do so by European Union or Irish Law to which the required professional qualifications bound by a duty of confidentiality, selected by Client, where applicable, in agreement with the Supervisory Authority. Guaranteed Uptime levels The Platform shall have 99.9% uptime, excluding any scheduled downtime required for updates to the platform outside of normal business hours (8am-6pm Monday to Friday) Service Provider shall schedule updates outside of business hours (ie not 8am-6pm Monday to Friday) and is subject; in normal circumstances system updates shall be conducted after 8pm when no users are actively making use of the platform. Where possible, Service Provider will notify Client in advance of any planned updates and resulting scheduled downtime. Measurement and penalties Uptime is measured over each calendar month. If uptime drops below the relevant threshold, such a penalty will be applied in the form of a credit for the Client. This means the following month’s fee payable by the Client will be reduced on a sliding scale as follows:
2 fee reduction for every 1% below the uptime SLA. The level of penalty will be calculated depending on the number of hours for which the service was unavailable, minus the downtime permitted by the SLA: Uptime penalties in any month are capped at 50% of the total monthly fee Provision of Client data and Client Information Client shall have access to and be able to download all matter structured data in whole or part (in CSV machine readable format) and individual documents from matters via the Platform, in accordance with the Guaranteed Uptime levels (ie 99.9% of the time). If Client requires bulk download of all or some documents from the platformcase, the Service Provider shall provide inform the HSE in writing of that legal requirement before Processing, unless that law prohibits such documents along with reference information on important grounds of public interest;
2.1.3 Notify the HSE prior to carrying out any structured data within 15 business days of a request instruction from the ClientHSE if, setting out the documents required (all or part). Such documents shall be made available via a secure file sharing platform or as instructed by the Client in line with Client’s security requirements. Guaranteed response times When the Client raises a support issue with Service Provider, Service Provider promises to respond in a timely fashion. Response times The response time measures how long it takes Service Provider to respond to a support request via email. Service Provider is deemed to have responded when it has replied to the Client’s initial request. This may be in the form of an email or telephone call, to either provide a solution or request further information. Response times are measured from the moment the Client submits a support request via email. Response times apply during standard working hours (9am — 6pm Monday to Friday) only, unless the contract between the Client and supplier specifically includes provisions for out of hours support. Subject to the above limitations, Service Provider shall respond to support requests within one (1) hour. Resolution times Service Provider will always endeavour to resolve problems as swiftly as possible and usually within three (3) working days . It recognises that the Client’s use of the Platform is key to its business and that any downtime can cost money. However, Service Provider is unable to provide guaranteed resolution times. This is because the nature and causes of problems can vary enormously. In all cases, Service Provider will make its best efforts to resolve problems as quickly as possible. It will also provide frequent progress reports to the Client. Exclusions Service Provider will do everything possible to rectify every issue in a timely manner. However, there are exclusions. This SLA does not apply to: ● Any Client or third party provided equipment, software, services. ● Software, equipment or services not purchased via and managed by Service Provider. Additionally, this SLA does not apply when: ● The problem has been caused by using the Service Providers equipmentopinion, software or service(s) such instruction is likely to result in a way Processing that is not recommended. ● The Client has made unauthorized changes to the configuration or set up of affected equipment, software or services. ● The Client has prevented Service Provider from performing required maintenance and update tasks or failed to respond to reasonable questions about the issue. ● The issue has been caused by unsupported devices, equipment, software or other services. This SLA does not apply in circumstances that could be reasonably said to be beyond Service Provider’s control. For instance: floods, war, acts of god, civil unrest and so on. This SLA also does not apply if the Client is in breach of its contract the Data Protection Legislation;
2.1.4 Only Process and use HSE Personal Data for the purposes of providing any contracted Services to the HSE and, not otherwise modify, amend or alter the contents of HSE Personal Data unless specifically authorised to do so in writing by the HSE;
2.1.5 Take all reasonable measures to ensure the reliability of any of the Service Providers employees and contractors who have access to HSE Personal Data and, upon the written request of the HSE, where legally permissible, provide the HSE with a named list of their employees and contractors who have access to HSE Personal Data;
2.1.6 Ensure that access to HSE Personal Data is limited to those of the Service Provider’s employees and contractors who need to have access to it, and that they are informed of the confidential nature of the HSE Personal Data, are under an obligation to keep such HSE Personal Data confidential, and comply with the obligations set out in this Agreement;
2.1.7 Ensure that all the relevant Service Provider for any reason (e.g. late payment of fees, improper use, violation of terms, etc.)employees and contractors with access to HSE Personal Data have been provided with and have undergone appropriate Data Protection and IT security training;
Appears in 1 contract
Samples: Data Processing Agreement
Obligations of the Service Provider. The In consideration of the HSE directly making the Information available to the Service Provider, or the Service Provider agreesotherwise acquiring the Information, the Service Provider shall:
(a) to 2.1 Not take or remove any Information from HSE premises without having received the written authorisation of the HSE. Such written authorisation must be issued in advance of the first instance and will apply thereafter;
2.2 Manage and process any Information which they acquire from the Personal Data only on behalf, and HSE in accordance with the written instructions of Client from time the HSE and the obligations of the Data Protection Xxx 0000, the Data Protection (Amendment) Xxx 0000 and SI535 of 2003 (as amended) in so far as these obligations apply to time, and in accordance with this agreementa data processor;
(b) that it has no reason to believe that the legislation applicable 2.3 Maintain secret and confidential all Information furnished to it (including or otherwise acquired by its servants, employees, agents, subsidiaries or sub-contractors save and to the Regulation) prevents it from fulfilling extent that such Information has been made available to the instructions received from Client public by the HSE or by any third party lawfully in possession thereof and its obligations under the contractentitled to make such disclosure without restriction;
(c) having regard 2.4 Take appropriate measures to ensure the state of technological development and the cost of implementing any measures, it will take appropriate technical and organisational measures against the unauthorised or unlawful processing reliability of the personal data and against the accidental loss Service Providers servants, employees, agents, subsidiaries or destruction of, or damage to, the personal data to ensure a level of security appropriate to: (i) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and (ii) the nature of the data to be protected; and take reasonable steps to ensure compliance with those measures;
(d) to ensure that all personnel sub-contractors who have access to and/or process Personal Data are obliged the Information; The Service Provider must be in a position to keep provide the Personal Data confidentialHSE with a named list of their servants, employees, agents, subsidiaries or sub-contractors authorised to have access to Information.
(e) not transfer 2.5 Not disclose Information to any Personal Data outside of the European Economic Area Service Provider's servants, employees, agents, subsidiaries or sub-contractors unless and only to the extent that such persons need to know such Information for the purposes of providing services in connection with the Service, and provided that such person has been made aware of the restrictions in this Agreement on the disclosure of the Information and has agreed in writing to comply with such restrictions;
2.6 Not disclose any Information to any third party without the prior written consent of the Data Controller has been obtained and HSE;
2.7 Not use the following conditions are fulfilled:
(i) Information directly or indirectly for any purpose other than in connection with the Data Controller or the Data Processor has provided appropriate safeguards in relation provision of services to the transferHSE regarding the Service;
(ii) 2.8 Not reverse engineer, de-compile or disassemble Information or attempt to use the data subject has enforceable rights and effective legal remediesInformation in any form other than machine readable object code, or allow a third party to do any of the above;
(iii) 2.9 Not make any press announcement or otherwise publicise the Data Processor complies business relationship with its obligations under the Data Protection Legislation HSE in any way including, without limitation, using the name of the HSE in any publicity material, unless authorised to do so by providing an adequate level the HSE;
2.10 Only use the Information solely for the purposes of protection fulfilling the requirements of the Service.
2.11 Implement appropriate human, organisational and technological controls to any Personal Data that is transferredprotect against accidental loss, destruction, damage, alteration, or disclosure of the Information.
2.12 Take the necessary precautions for the prevention of unauthorised access to, the
2.12.1 Keep all Information obtained from the HSE or otherwise relating to the Service separate from all documents and other records of the Service Provider;
2.12.2 Only make such copies of the Information as are necessary for the provision of services to the HSE regarding the Service; and
(iv) 2.12.3 Mark all documentation containing the Data Processor complies with reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data.
(f) that it shall promptly notify Client about:
(i) any legally binding request for the disclosure of the Personal Data by a law enforcement authority, unless otherwise prohibited, such Information as a prohibition under criminal law, to preserve the confidentiality of a law enforcement investigation;
(ii) any accidental or unauthorised access, unlawful processing or disclosure;
(iii) any complaint and/or request received directly from the Data Subjects without responding to that request, unless he has been otherwise authorised to do so;
(g) to deal promptly and properly with all enquiries from Client relating to his processing of the personal data being subject to the transfer terms of this Agreement and indicate that it is contrary to abide by the advice terms of this Agreement to copy, disclose or use in any manner or fashion such documentation without the prior written consent of the Supervisory Authority with regard to the processing of the data transferredHSE; and
2.12.4 Have all necessary access controls to include authentication and authorisation for access to Information to ensure its security and confidentiality.
2.13 Ensure all documents and other tangible objects containing or representing Information which have been disclosed by the HSE to the Service Provider, and all copies there of which are in the possession of the Service Provider, shall be returned to the HSE upon the completion of the Service. In addition, the Service Provider will confirm, in writing, at the completion of the Service that all electronic Information received from the HSE has been deleted from any of the Service Provider’s devices which store Information.
2.14 Promptly inform the HSE of any actual or suspected breach in their security which could give rise to the actual or potential loss, theft, unauthorised release or disclosure of Information or any part thereof. In such an event the Service Provider will immediately supply the HSE will all the relevant facts surrounding the actual or suspected breach.
2.15 For the purposes of Freedom of Information the Service Provider shall:
2.15.1 Procure that its servants, employees, agents, subsidiaries or sub-contractors shall assist the HSE, at no additional charge and within such timescales as the HSE may reasonably specify, in meeting any requests for Information which are made to the HSE under the Freedom of Information Xxx 0000, such assistance to include (hbut not be limited to) maintain complete and accurate records and information the provision of a copy of the requested Information.
2.15.2 Notwithstanding anything to demonstrate its compliance the contrary in this Agreement, if the HSE receives a request for Information pursuant to the Freedom of Information Xxx 0000, the HSE shall be entitled to disclose all Information (in whatever form) as is necessary to comply with this clause andthe Freedom of Information Act, 1997.
2.15.3 If, at the request of Clientthe Service Provider, the HSE seeks to submit its data processing facilities for audit of the processing activities covered withhold Information protected by this Agreement which shall be carried out by Client and a competent authority determines, or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentialityparties subsequently agree, selected by Clientthat the Information is not exempt, where applicable, in agreement with then the Supervisory Authority. Guaranteed Uptime levels The Platform shall have 99.9% uptime, excluding any scheduled downtime required for updates to the platform outside of normal business hours (8am-6pm Monday to Friday) Service Provider shall schedule updates outside reimburse the HSE for all costs (including but not limited to legal costs) incurred by the HSE in seeking to withhold such Information from a request under the Freedom of business hours Information Act, 1997.
2.15.4 Not (ie not 8am-6pm Monday and shall procure that its servants, employees, agents, subsidiaries or sub- contractors do not) respond directly to Fridaya request for Information under the Freedom of Information Act, 1997 unless expressly authorised to do so by the HSE.
2.16 Ensure the security of Information stored on all fixed and mobile devices, including medical devices, desktop computers, servers and mobile computer devices (i.e. laptops, notes, tablets, personal data assistants, Blackberry enabled devices, iPads, iPhones and other smart type devices etc) and removal storage devices (i.e. CD, DVD, portable hard drives, Diskettes, ZIP disks, Magnetic tapes etc).
2.16.1 Only in normal exceptional circumstances system updates and with the written consent of the HSE, should the Service Provider hold Information on mobile computing or removable storage devices. Should the business requirements necessitate the holding of Information on such devices then the Service Provider shall be conducted ensure that only the Information absolutely necessary for their purpose is stored in this format and that the Information is held on such devices only for the minimum amount of time necessary and furthermore, after 8pm when no users are actively making such period that they will delete all Information from these devices.
2.16.2 Where the use of mobile computing or removal storage devices is a necessity then the platform. Where possible, Service Provider will notify Client take all necessary precautions to ensure the safety of these devices from theft or loss. As a minimum all mobile computing and removal storage devices must be protected by the use of strong complex passwords.
2.16.3 The Service Provider must ensure that all Information held on mobile computing and removal storage devices is secured by strong encryption. The encryption methods used must satisfy or better the requirements of the HSE Encryption Policy. At any time during the term of this Agreement the HSE may request the Service Provider to set out in advance of any planned updates writing the current encryption measures used and resulting scheduled downtimethe Service Provider will provide this information within 5 days. Measurement and penalties Uptime is measured over each calendar month. If uptime drops below the relevant thresholdIf, a penalty will be applied in the form reasonable opinion of a credit for the Client. This means HSE, the following month’s fee payable encryption standard employed by the Client will be reduced on a sliding scale as follows:
2 fee reduction for every 1% below the uptime SLA. The level of penalty will be calculated depending on the number of hours for which the service was unavailable, minus the downtime permitted by the SLA: Uptime penalties in any month are capped at 50% of the total monthly fee Provision of Client data and Client Information Client shall have access to and be able to download all matter structured data in whole or part (in CSV machine readable format) and individual documents from matters via the Platform, in accordance with the Guaranteed Uptime levels (ie 99.9% of the time). If Client requires bulk download of all or some documents from the platformService Provider is not sufficient, the Service Provider will implement, at their expense, whatever encryption standards are proposed by the HSE. At no time should cipher keys be held on the mobile computing or removal storage device for the data which they secure. In addition, the Service Provider will at all times hold cipher keys in a secure fashion.
2.16.4 Under no circumstances encrypted or otherwise is the Service Provider sanctioned by the HSE to download or store Information on USB memory sticks/keys.
2.17 Ensure the security of the Information in transit. Where it is necessary to transfer the Information, the Service Provider must take all necessary precautions to ensure the security of the Information before, during and after transit.
2.17.1 The Service Provider shall provide such documents along ensure that all transfers of the Information are legal, justifiable, and only the minimum Information absolutely necessary for a given purpose is transferred.
2.17.2 All transfers of Information should, where possible, only take place electronically via secure on-line channels or electronic mail. Where the Service Provider transfers Information electronically, in any form and by any means, the Information must be encrypted using strong encryption. The encryption methods used must satisfy or better the requirements of the HSE Encryption Policy.
2.17.3 Where it is not possible to transfer the Information electronically, the Information may be encrypted and copied to a mobile storage device (with reference the exception of USB memory sticks/keys) and transported manually. The encryption methods used must satisfy or better the requirements of the HSE Encryption Policy. The encrypted mobile storage media, should wherever possible, be hand delivered by the Service Provider to, and be signed for by, the intended recipient. If this is not possible, the use of registered post or some other certifiable delivery method must be used.
2.18 Transfers of Information outside of the Republic of Ireland.
2.18.1 The Service Provider must seek the written consent of the HSE prior to the Service Provider sending Information outside the jurisdiction of the Republic of Ireland. The HSE may, at its discretion, prohibit the Service Provider from sending Information outside the jurisdiction of the Republic of Ireland.
2.18.2 Where the HSE has consented to the transfer of Information outside the Republic of Ireland, the Service Provider may only transfer Information to a legal entity located in:
2.18.2.1 A country within the European Economic Area;
2.18.2.2 A country outside the European Economic Area but approved for this purpose by the EU Commission;
2.18.2.3 The United States of America only when the Information transferee has agreed in writing to be bound by the Safe Harbour rules.
2.19 If so requested by the HSE, the Service Provider shall:
2.19.1 Permit the HSE or its representatives (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Service Provider’s data processing facilities and activities (and/or those of its agents, subsidiaries and sub contractors) and comply with all reasonable requests or directions by the HSE to enable the HSE to verify and/or procure that the Service Provider is in full compliance with its obligations under this contract.
2.19.2 Make available for audit by the HSE or its representatives, (subject to reasonable and appropriate confidentiality undertakings), all staff procedures, processes and instructions that the Service Provider employ for the management of Information
2.19.3 Permit the HSE or its representatives, (subject to reasonable and appropriate confidentiality undertakings), to inspect the contracts (Model Contracts), that the service provider has in place, governing the transfer of any structured data within 15 business days of a request Information from the Client, setting out the documents required (all or part). Such documents shall be made available via a secure file sharing platform or as instructed by the Client in line with Client’s security requirements. Guaranteed response times When the Client raises a support issue with Service Provider, Service Provider promises to respond in a timely fashion. Response times The response time measures how long it takes Service Provider to respond to a support request via email. Service Provider is deemed to have responded when it has replied legal entities located outside the European Economic Area
2.19.4 Forthwith return to the Client’s initial request. This may be in the form of an email HSE (or telephone callas it directs) all written material, to either provide a solution or request further information. Response times are measured photographs, Information and documentation obtained from the moment HSE together with all copies and reproductions made by the Client submits a support request via email. Response times apply during standard working hours (9am — 6pm Monday to Friday) onlyService Provider; and
2.19.5 Forthwith destroy all notes, unless the contract between the Client memoranda and supplier specifically includes provisions for out of hours support. Subject to the above limitations, Service Provider shall respond to support requests within one (1) hour. Resolution times Service Provider will always endeavour to resolve problems as swiftly as possible and usually within three (3) working days . It recognises that the Client’s use Information kept in electronic form containing copies or abstracts of the Platform is key to its business and that any downtime can cost money. However, Service Provider is unable to provide guaranteed resolution times. This is because the nature and causes of problems can vary enormously. In all cases, Service Provider will make its best efforts to resolve problems as quickly as possible. It will also provide frequent progress reports to the Client. Exclusions Service Provider will do everything possible to rectify every issue in a timely manner. However, there are exclusions. This SLA does not apply to: ● Any Client or third party provided equipment, software, services. ● Software, equipment or services not purchased via and managed by Service Provider. Additionally, this SLA does not apply when: ● The problem has been caused by using the Service Providers equipment, software or service(s) in a way that is not recommended. ● The Client has made unauthorized changes to the configuration or set up of affected equipment, software or services. ● The Client has prevented Service Provider from performing required maintenance and update tasks or failed to respond to reasonable questions about the issue. ● The issue has been caused by unsupported devices, equipment, software or other services. This SLA does not apply in circumstances that could be reasonably said to be beyond Service Provider’s control. For instance: floods, war, acts of god, civil unrest and so on. This SLA also does not apply if the Client is in breach of its contract with Service Provider for any reason (e.g. late payment of fees, improper use, violation of terms, etc.)Information
Appears in 1 contract
Samples: Confidentiality Agreement
Obligations of the Service Provider. 4.1 The Service Provider agreesshall, at all times during the Term,:
(a) comply with any and all applicable laws and legal obligations relating (whether in whole or in part) to process the Personal Data only on behalfprovision of the Services, including health and in accordance with the written instructions safety and non-discrimination laws, regulations and codes of Client from time to time, and in accordance with this agreementpractice;
(b) that it has no reason obtain and maintain in force all necessary licenses, permits, consents and authorisations required from time to believe that time for the legislation applicable to it (including provision of the Regulation) prevents it from fulfilling the instructions received from Client and its obligations under the contractServices;
(c) having regard provide HCC and its officers, employees, agents and representatives with such access to the state Service Provider’s premises and any other premises from which the Services are provided from time to time at such times as HCC reasonably requires for the purposes of technological development inspecting the facilities at such premises, the Goods, the provision of the Services and the cost compliance by the Service Provider with the terms and conditions of implementing any measures, it will take appropriate technical and organisational measures against the unauthorised or unlawful processing of the personal data and against the accidental loss or destruction of, or damage to, the personal data to ensure a level of security appropriate to: (i) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and (ii) the nature of the data to be protected; and take reasonable steps to ensure compliance with those measuresthis Agreement;
(d) to ensure that all personnel who have provide and make available such access to and/or process Personal Data are obliged and assistance from such of the Service Provider’s personnel as HCC may reasonably require from time to keep the Personal Data confidentialtime;
(e) not transfer procure that the Service Provider’s personnel that have occasion to visit or carry out any Personal Data outside work at HCC’s premises or at a Third Party’s premises (including when delivering, installing, dismantling and collecting the Goods), act when so doing in accordance with any instructions that may be issued by HCC or the Third Party and comply in all respects with the site rules applicable from time to time at such premises;
(f) promptly notify HCC of any matter, thing or relationship which would or might conflict with the full and proper performance of its obligations under this Agreement;
(g) promptly notify HCC of any change (whether permanent or temporary) to the identity of the European Economic Area unless personnel involved in the performance of this Agreement;
(h) without prejudice to the provisions of clause 21, promptly notify HCC of any change to the Service Provider’s contact details from time to time; and
(i) promptly notify HCC if any change of control occurs in relation to the Service Provider. For the purposes of this clause 4.1(i), a “change of control” means that a person who did not previously have control (as that term is defined in section 450 of the Corporation Tax Act 2010) of the Service Provider acquires control of the Service Provider.
4.2 The Service Provider shall not at any time use the name of HCC or any trade marks (whether registered or unregistered) or trade names of HCC without the prior written consent of HCC. In using such names and marks with the Data Controller prior written consent of HCC, the Service Provider shall comply with any and all directions given by HCC from time to time in respect of such use.
4.3 The Service Provider confirms that it has been obtained not prior to the date hereof offered or given or agreed to give and shall not offer or give, or agree to give, to any officer, employee or representative of HCC any gift or consideration of any kind as an inducement or reward for doing or refraining from doing, or for having done or refrained from doing, any act in relation to the obtaining or execution of this Agreement or any other contract with HCC or for showing or refraining from showing favour or disfavour to any person in relation to this Agreement or any such other contract, and shall procure that no such acts or omissions shall be done by any person employed by it or acting on its behalf.
4.4 The Service Provider shall, at all times during the Term and for a period of ten (10) years thereafter, obtain and maintain in force with reputable insurers:
(a) all insurances required by law; and
(b) all insurances required to cover its potential liabilities under or in connection with this Agreement including without limitation insurance at the following conditions are fulfilledlevels of cover:
(i) the Data Controller or the Data Processor has provided appropriate safeguards Public & Product liability - £1,000,000 (in relation to the transferaggregate for all claims);
(ii) the data subject has enforceable rights and effective legal remediesEmployer’s liability - £5,000,000 (in aggregate for all claims);
(iii) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(iv) the Data Processor complies with reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data.
(f) that it shall promptly notify Client about:
(i) any legally binding request for the disclosure of the Personal Data by a law enforcement authority, unless otherwise prohibited, such as a prohibition under criminal law, to preserve the confidentiality of a law enforcement investigation;
(ii) any accidental or unauthorised access, unlawful processing or disclosure;
(iii) any complaint and/or request received directly from the Data Subjects without responding to that request, unless he has been otherwise authorised to do so;
(g) to deal promptly and properly with all enquiries from Client relating to his processing of the personal data subject to the transfer and to abide by the advice of the Supervisory Authority with regard to the processing of the data transferred; and
(h) maintain complete and accurate records and information to demonstrate its compliance with this clause and, at the request of Client, to submit its data processing facilities for audit of the processing activities covered by this Agreement which shall be carried out by Client or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by Client, where applicable, in agreement with the Supervisory Authority. Guaranteed Uptime levels 4.5 The Platform shall have 99.9% uptime, excluding any scheduled downtime required for updates to the platform outside of normal business hours (8am-6pm Monday to Friday) Service Provider shall schedule updates outside of business hours (ie not 8am-6pm Monday to Friday) and in normal circumstances system updates shall be conducted after 8pm when no users are actively making use of the platform. Where possible, Service Provider will notify Client in advance of any planned updates and resulting scheduled downtime. Measurement and penalties Uptime is measured over each calendar month. If uptime drops below the relevant threshold, a penalty will be applied in the form of a credit for the Client. This means the following month’s fee payable by the Client will be reduced on a sliding scale as follows:
2 fee reduction for every 1% below the uptime SLA. The level of penalty will be calculated depending on the number of hours for which the service was unavailable, minus the downtime permitted by the SLA: Uptime penalties in any month are capped at 50% of the total monthly fee Provision of Client data and Client Information Client shall have access to and be able to download all matter structured data in whole or part (in CSV machine readable format) and individual documents from matters via the Platform, in accordance with the Guaranteed Uptime levels (ie 99.9% of the time). If Client requires bulk download of all or some documents from the platform, the Service Provider shall provide such documents along HCC with reference to any structured data within 15 business days written evidence of a request from the Client, setting out the documents required (all or part). Such documents shall be made available via a secure file sharing platform or as instructed by the Client in line compliance with Client’s security requirements. Guaranteed response times When the Client raises a support issue with Service Provider, Service Provider promises to respond in a timely fashion. Response times The response time measures how long it takes Service Provider to respond to a support request via email. Service Provider is deemed to have responded when it has replied to the Client’s initial its obligations at clause 4.4 promptly upon request. This may be in the form of an email or telephone call, to either provide a solution or request further information. Response times are measured from the moment the Client submits a support request via email. Response times apply during standard working hours (9am — 6pm Monday to Friday) only, unless the contract between the Client and supplier specifically includes provisions for out of hours support. Subject to the above limitations, Service Provider shall respond to support requests within one (1) hour. Resolution times Service Provider will always endeavour to resolve problems as swiftly as possible and usually within three (3) working days . It recognises that the Client’s use of the Platform is key to its business and that any downtime can cost money. However, Service Provider is unable to provide guaranteed resolution times. This is because the nature and causes of problems can vary enormously. In all cases, Service Provider will make its best efforts to resolve problems as quickly as possible. It will also provide frequent progress reports to the Client. Exclusions Service Provider will do everything possible to rectify every issue in a timely manner. However, there are exclusions. This SLA does not apply to: ● Any Client or third party provided equipment, software, services. ● Software, equipment or services not purchased via and managed by Service Provider. Additionally, this SLA does not apply when: ● The problem has been caused by using the Service Providers equipment, software or service(s) in a way that is not recommended. ● The Client has made unauthorized changes to the configuration or set up of affected equipment, software or services. ● The Client has prevented Service Provider from performing required maintenance and update tasks or failed to respond to reasonable questions about the issue. ● The issue has been caused by unsupported devices, equipment, software or other services. This SLA does not apply in circumstances that could be reasonably said to be beyond Service Provider’s control. For instance: floods, war, acts of god, civil unrest and so on. This SLA also does not apply if the Client is in breach of its contract with Service Provider for any reason (e.g. late payment of fees, improper use, violation of terms, etc.)
Appears in 1 contract
Samples: Services Agreement
Obligations of the Service Provider. The 2.1 To the extent that the Service Provider agreesProcesses HSE Personal Data as a Data Processor on behalf of the HSE, the Service Provider shall:
(a) 2.1.1 Comply at all times with their obligations as a Data Processor as set out in the Data Protection Legislation and this Agreement, and not undertake any actions or permit any actions to process be undertaken on their behalf which may cause the HSE to be in breach of the Data Protection Legislation;
2.1.2 Manage and Process any HSE Personal Data only on behalf, and they acquire from the HSE solely in accordance with the written documented instructions of Client from time to timethe HSE as set out in this Agreement, and in accordance with this agreement;
(b) that it has no reason to believe that the legislation applicable to it (including the Regulation) prevents it from fulfilling the instructions received from Client and its obligations under the contract;
(c) having regard to the state of technological development and the cost of implementing any measures, it will take appropriate technical and organisational measures against the unauthorised or unlawful processing of the personal data and against the accidental loss or destruction of, or damage to, the personal data to ensure a level of security appropriate to: (i) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and (ii) the nature of the data to be protected; and take reasonable steps to ensure compliance with those measures;
(d) to ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential
(e) not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(i) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer;
(ii) the data subject has enforceable rights and effective legal remedies;
(iii) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(iv) the Data Processor complies with reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data.
(f) that it shall promptly notify Client about:
(i) any legally binding request for the disclosure of the Personal Data by a law enforcement authority, unless otherwise prohibited, such as a prohibition under criminal law, to preserve the confidentiality of a law enforcement investigation;
(ii) any accidental or unauthorised access, unlawful processing or disclosure;
(iii) any complaint and/or request received directly from the Data Subjects without responding to that request, unless he has been otherwise authorised to do so;
(g) to deal promptly and properly with all enquiries from Client relating to his processing of the personal data subject to the transfer and to abide by the advice of the Supervisory Authority with regard to the processing transfers of the data transferred; and
(h) maintain complete and accurate records and information HSE Personal Data to demonstrate its compliance with this clause and, at the request of Client, to submit its data processing facilities for audit of the processing activities covered by this Agreement which shall be carried out by Client a third country or an inspection body composed of independent members and in possession of international organisation, unless required to do so by European Union or Irish Law to which the required professional qualifications bound by a duty of confidentiality, selected by Client, where applicable, in agreement with the Supervisory Authority. Guaranteed Uptime levels The Platform shall have 99.9% uptime, excluding any scheduled downtime required for updates to the platform outside of normal business hours (8am-6pm Monday to Friday) Service Provider shall schedule updates outside of business hours (ie not 8am-6pm Monday to Friday) and is subject; in normal circumstances system updates shall be conducted after 8pm when no users are actively making use of the platform. Where possible, Service Provider will notify Client in advance of any planned updates and resulting scheduled downtime. Measurement and penalties Uptime is measured over each calendar month. If uptime drops below the relevant threshold, such a penalty will be applied in the form of a credit for the Client. This means the following month’s fee payable by the Client will be reduced on a sliding scale as follows:
2 fee reduction for every 1% below the uptime SLA. The level of penalty will be calculated depending on the number of hours for which the service was unavailable, minus the downtime permitted by the SLA: Uptime penalties in any month are capped at 50% of the total monthly fee Provision of Client data and Client Information Client shall have access to and be able to download all matter structured data in whole or part (in CSV machine readable format) and individual documents from matters via the Platform, in accordance with the Guaranteed Uptime levels (ie 99.9% of the time). If Client requires bulk download of all or some documents from the platformcase, the Service Provider shall provide inform the HSE in writing of that legal requirement before Processing, unless that law prohibits such documents along with reference information on important grounds of public interest;
2.1.3 Notify the HSE prior to carrying out any structured data within 15 business days of a request instruction from the ClientHSE if, setting out the documents required (all or part). Such documents shall be made available via a secure file sharing platform or as instructed by the Client in line with Client’s security requirements. Guaranteed response times When the Client raises a support issue with Service Provider, Service Provider promises to respond in a timely fashion. Response times The response time measures how long it takes Service Provider to respond to a support request via email. Service Provider is deemed to have responded when it has replied to the Client’s initial request. This may be in the form of an email or telephone call, to either provide a solution or request further information. Response times are measured from the moment the Client submits a support request via email. Response times apply during standard working hours (9am — 6pm Monday to Friday) only, unless the contract between the Client and supplier specifically includes provisions for out of hours support. Subject to the above limitations, Service Provider shall respond to support requests within one (1) hour. Resolution times Service Provider will always endeavour to resolve problems as swiftly as possible and usually within three (3) working days . It recognises that the Client’s use of the Platform is key to its business and that any downtime can cost money. However, Service Provider is unable to provide guaranteed resolution times. This is because the nature and causes of problems can vary enormously. In all cases, Service Provider will make its best efforts to resolve problems as quickly as possible. It will also provide frequent progress reports to the Client. Exclusions Service Provider will do everything possible to rectify every issue in a timely manner. However, there are exclusions. This SLA does not apply to: ● Any Client or third party provided equipment, software, services. ● Software, equipment or services not purchased via and managed by Service Provider. Additionally, this SLA does not apply when: ● The problem has been caused by using the Service Providers equipmentopinion, software or service(s) such instruction is likely to result in a way Processing that is not recommended. ● The Client has made unauthorized changes to the configuration or set up of affected equipment, software or services. ● The Client has prevented Service Provider from performing required maintenance and update tasks or failed to respond to reasonable questions about the issue. ● The issue has been caused by unsupported devices, equipment, software or other services. This SLA does not apply in circumstances that could be reasonably said to be beyond Service Provider’s control. For instance: floods, war, acts of god, civil unrest and so on. This SLA also does not apply if the Client is in breach of its contract the Data Protection Legislation;
2.1.4 Only Process and use HSE Personal Data for the purposes of providing any contracted Services to the HSE and, not otherwise modify, amend or alter the contents of HSE Personal Data unless specifically authorised to do so in writing by the HSE;
2.1.5 Take all reasonable measures to ensure the reliability of any of the Service Providers employees and contractors who have access to HSE Personal Data;
2.1.6 Ensure that access to HSE Personal Data is limited to those of the Service Provider’s employees and contractors who need to have access to it, and that they are informed of the confidential nature of the HSE Personal Data, are under an obligation to keep such HSE Personal Data confidential, and comply with the obligations set out in this Agreement;
2.1.7 Ensure that all the relevant Service Provider for any reason employees and contractors with access to HSE Personal Data have been provided with and have undergone appropriate Data Protection and IT security training;
2.1.8 Ensure they have appropriate procedures in place which prevent the Service Provider’s employees and contractors from downloading HSE Personal Data from the Service Provider’s IT devices and Servers and storing this HSE Personal Data on the employees’ or contractors’ personal IT devices (e.g. late payment of fees, improper use, violation of terms, etc.)i.
Appears in 1 contract
Samples: Data Processing Agreement
Obligations of the Service Provider. 4.1 The Service Provider agreesshall, at all times during the Term:
(a) comply with any and all applicable laws and legal obligations relating (whether in whole or in part) to process the Personal Data only on behalfprovision of the Services, including health and in accordance with the written instructions safety and non-discrimination laws, regulations and codes of Client from time to time, and in accordance with this agreementpractice;
(b) that it has no reason obtain and maintain in force all necessary licences, permits, consents and authorisations required from time to believe that time for the legislation applicable to it (including provision of the Regulation) prevents it from fulfilling the instructions received from Client and its obligations under the contractServices;
(c) having regard provide HCC and its officers, employees, agents and representatives with such access to the state Service Provider’s premises and any other premises from which the Services are provided from time to time at such times as HCC reasonably requires for the purposes of technological development inspecting the facilities at such premises, the Goods, the provision of the Services and the cost compliance by the Service Provider with the terms and conditions of implementing any measures, it will take appropriate technical and organisational measures against the unauthorised or unlawful processing of the personal data and against the accidental loss or destruction of, or damage to, the personal data to ensure a level of security appropriate to: (i) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and (ii) the nature of the data to be protected; and take reasonable steps to ensure compliance with those measuresthis Agreement;
(d) to ensure that all personnel who have provide and make available such access to and/or process Personal Data are obliged and assistance from such of the Service Provider’s personnel as HCC may reasonably require from time to keep the Personal Data confidentialtime;
(e) not transfer procure that the Service Provider’s personnel that have occasion to visit or carry out any Personal Data outside work at HCC’s premises or at a Third Party’s premises (including when delivering, installing, dismantling and collecting the Goods), act when so doing in accordance with any instructions that may be issued by HCC or the Third Party and comply in all respects with the site rules applicable from time to time at such premises;
(f) promptly notify HCC of any matter, thing or relationship which would or might conflict with the full and proper performance of its obligations under this Agreement;
(g) promptly notify HCC of any change (whether permanent or temporary) to the identity of the European Economic Area unless personnel involved in the performance of this Agreement;
(h) without prejudice to the provisions of clause 20, promptly notify HCC of any change to the Service Provider’s contact details from time to time; and
(i) promptly notify HCC if any change of control occurs in relation to the Service Provider. For the purposes of this clause 4.1(i), a “change of control” means that a person who did not previously have control (as that term is defined in section 450 of the Corporation Tax Act 2010) of the Service Provider acquires control of the Service Provider.
4.2 The Service Provider shall not at any time use the name of HCC or any trade marks (whether registered or unregistered) or trade names of HCC without the prior written consent of HCC. In using such names and marks with the Data Controller prior written consent of HCC, the Service Provider shall comply with any and all directions given by HCC from time to time in respect of such use.
4.3 The Service Provider confirms that it has been obtained not prior to the date hereof offered or given or agreed to give and shall not offer or give, or agree to give, to any officer, employee or representative of HCC any gift or consideration of any kind as an inducement or reward for doing or refraining from doing, or for having done or refrained from doing, any act in relation to the obtaining or execution of this Agreement or any other contract with HCC or for showing or refraining from showing favour or disfavour to any person in relation to this Agreement or any such other contract, and shall procure that no such acts or omissions shall be done by any person employed by it or acting on its behalf.
4.4 The Service Provider shall, at all times during the Term and for a period of ten (10) years thereafter, obtain and maintain in force with reputable insurers:
(a) all insurances required by law; and
(b) all insurances required to cover its potential liabilities under or in connection with this Agreement including without limitation insurance at the following conditions are fulfilledlevels of cover:
(i) the Data Controller or the Data Processor has provided appropriate safeguards Public & Product liability - £1,000,000 (in relation to the transferaggregate for all claims);
(ii) the data subject has enforceable rights and effective legal remediesEmployer’s liability - £5,000,000 (in aggregate for all claims);
(iii) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(iv) the Data Processor complies with reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data.
(f) that it shall promptly notify Client about:
(i) any legally binding request for the disclosure of the Personal Data by a law enforcement authority, unless otherwise prohibited, such as a prohibition under criminal law, to preserve the confidentiality of a law enforcement investigation;
(ii) any accidental or unauthorised access, unlawful processing or disclosure;
(iii) any complaint and/or request received directly from the Data Subjects without responding to that request, unless he has been otherwise authorised to do so;
(g) to deal promptly and properly with all enquiries from Client relating to his processing of the personal data subject to the transfer and to abide by the advice of the Supervisory Authority with regard to the processing of the data transferred; and
(h) maintain complete and accurate records and information to demonstrate its compliance with this clause and, at the request of Client, to submit its data processing facilities for audit of the processing activities covered by this Agreement which shall be carried out by Client or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by Client, where applicable, in agreement with the Supervisory Authority. Guaranteed Uptime levels 4.5 The Platform shall have 99.9% uptime, excluding any scheduled downtime required for updates to the platform outside of normal business hours (8am-6pm Monday to Friday) Service Provider shall schedule updates outside of business hours (ie not 8am-6pm Monday to Friday) and in normal circumstances system updates shall be conducted after 8pm when no users are actively making use of the platform. Where possible, Service Provider will notify Client in advance of any planned updates and resulting scheduled downtime. Measurement and penalties Uptime is measured over each calendar month. If uptime drops below the relevant threshold, a penalty will be applied in the form of a credit for the Client. This means the following month’s fee payable by the Client will be reduced on a sliding scale as follows:
2 fee reduction for every 1% below the uptime SLA. The level of penalty will be calculated depending on the number of hours for which the service was unavailable, minus the downtime permitted by the SLA: Uptime penalties in any month are capped at 50% of the total monthly fee Provision of Client data and Client Information Client shall have access to and be able to download all matter structured data in whole or part (in CSV machine readable format) and individual documents from matters via the Platform, in accordance with the Guaranteed Uptime levels (ie 99.9% of the time). If Client requires bulk download of all or some documents from the platform, the Service Provider shall provide such documents along HCC with reference to any structured data within 15 business days written evidence of a request from the Client, setting out the documents required (all or part). Such documents shall be made available via a secure file sharing platform or as instructed by the Client in line compliance with Client’s security requirements. Guaranteed response times When the Client raises a support issue with Service Provider, Service Provider promises to respond in a timely fashion. Response times The response time measures how long it takes Service Provider to respond to a support request via email. Service Provider is deemed to have responded when it has replied to the Client’s initial its obligations at clause 4.4 promptly upon request. This may be in the form of an email or telephone call, to either provide a solution or request further information. Response times are measured from the moment the Client submits a support request via email. Response times apply during standard working hours (9am — 6pm Monday to Friday) only, unless the contract between the Client and supplier specifically includes provisions for out of hours support. Subject to the above limitations, Service Provider shall respond to support requests within one (1) hour. Resolution times Service Provider will always endeavour to resolve problems as swiftly as possible and usually within three (3) working days . It recognises that the Client’s use of the Platform is key to its business and that any downtime can cost money. However, Service Provider is unable to provide guaranteed resolution times. This is because the nature and causes of problems can vary enormously. In all cases, Service Provider will make its best efforts to resolve problems as quickly as possible. It will also provide frequent progress reports to the Client. Exclusions Service Provider will do everything possible to rectify every issue in a timely manner. However, there are exclusions. This SLA does not apply to: ● Any Client or third party provided equipment, software, services. ● Software, equipment or services not purchased via and managed by Service Provider. Additionally, this SLA does not apply when: ● The problem has been caused by using the Service Providers equipment, software or service(s) in a way that is not recommended. ● The Client has made unauthorized changes to the configuration or set up of affected equipment, software or services. ● The Client has prevented Service Provider from performing required maintenance and update tasks or failed to respond to reasonable questions about the issue. ● The issue has been caused by unsupported devices, equipment, software or other services. This SLA does not apply in circumstances that could be reasonably said to be beyond Service Provider’s control. For instance: floods, war, acts of god, civil unrest and so on. This SLA also does not apply if the Client is in breach of its contract with Service Provider for any reason (e.g. late payment of fees, improper use, violation of terms, etc.)
Appears in 1 contract
Samples: Services Agreement
Obligations of the Service Provider. 5.1 The Service Provider agreesshall, at all times during the Term,:
(a) comply with any and all applicable laws and legal obligations relating (whether in whole or in part) to process the Personal Data only on behalfhire of the Goods and the provision of the Services, including health and in accordance with the written instructions safety and non-discrimination laws, regulations and codes of Client from time to time, and in accordance with this agreementpractice;
(b) that it has no reason obtain and maintain in force all necessary licenses, permits, consents and authorisations required from time to believe that time for the legislation applicable to it (including hire of the Regulation) prevents it from fulfilling Goods and the instructions received from Client and its obligations under provision of the contractServices;
(c) having regard provide HCC and its officers, employees, agents and representatives with such access to the state Service Provider’s premises and any other premises from which the Goods are hired or the Services are performed from time to time at such times as HCC reasonably requires for the purposes of technological development inspecting the facilities at such premises, the Goods, the provision of the Services and the cost compliance by the Service Provider with the terms and conditions of implementing this Agreement and any measures, it will take appropriate technical and organisational measures against the unauthorised or unlawful processing of the personal data and against the accidental loss or destruction of, or damage to, the personal data to ensure a level of security appropriate to: (i) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and (ii) the nature of the data to be protected; and take reasonable steps to ensure compliance with those measuresContracts;
(d) to ensure that all personnel who have provide and make available such access to and/or process Personal Data are obliged and assistance from such of the Service Provider’s personnel as HCC may reasonably require from time to keep the Personal Data confidentialtime;
(e) not transfer procure that the Service Provider’s personnel that have occasion to visit or carry out any Personal Data outside work at HCC’s premises or at a Third Party’s premises (including when delivering, installing, dismantling and collecting the Goods), act when so doing in accordance with any instructions that may be issued by HCC or the Third Party and comply in all respects with the site rules applicable from time to time at such premises;
(f) promptly notify HCC of any matter, thing or relationship which would or might conflict with the full and proper performance of its obligations under this Agreement or any Contract;
(g) promptly notify HCC of any change (whether permanent or temporary) to the identity of the European Economic Area unless personnel involved in the performance of this Agreement or any Contract;
(h) without prejudice to the provisions of clause 23, promptly notify HCC of any change to the Service Provider’s contact details from time to time; and
(i) promptly notify HCC if any change of control occurs in relation to the Service Provider. For the purposes of this clause 5.1(i), a “change of control” means that a person who did not previously have control (as that term is defined in section 840 of the Income and Corporation Taxes Act 1988) of the Service Provider acquires control of the Service Provider.
5.2 The Service Provider shall not at any time use the name of HCC or any trade marks (whether registered or unregistered) or trade names of HCC without the prior written consent of the Data Controller has been obtained HCC. In using such names and the following conditions are fulfilled:
(i) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer;
(ii) the data subject has enforceable rights and effective legal remedies;
(iii) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(iv) the Data Processor complies with reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data.
(f) that it shall promptly notify Client about:
(i) any legally binding request for the disclosure of the Personal Data by a law enforcement authority, unless otherwise prohibited, such as a prohibition under criminal law, to preserve the confidentiality of a law enforcement investigation;
(ii) any accidental or unauthorised access, unlawful processing or disclosure;
(iii) any complaint and/or request received directly from the Data Subjects without responding to that request, unless he has been otherwise authorised to do so;
(g) to deal promptly and properly with all enquiries from Client relating to his processing of the personal data subject to the transfer and to abide by the advice of the Supervisory Authority with regard to the processing of the data transferred; and
(h) maintain complete and accurate records and information to demonstrate its compliance with this clause and, at the request of Client, to submit its data processing facilities for audit of the processing activities covered by this Agreement which shall be carried out by Client or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by Client, where applicable, in agreement marks with the Supervisory Authority. Guaranteed Uptime levels The Platform shall have 99.9% uptime, excluding any scheduled downtime required for updates to the platform outside prior written consent of normal business hours (8am-6pm Monday to Friday) Service Provider shall schedule updates outside of business hours (ie not 8am-6pm Monday to Friday) and in normal circumstances system updates shall be conducted after 8pm when no users are actively making use of the platform. Where possible, Service Provider will notify Client in advance of any planned updates and resulting scheduled downtime. Measurement and penalties Uptime is measured over each calendar month. If uptime drops below the relevant threshold, a penalty will be applied in the form of a credit for the Client. This means the following month’s fee payable by the Client will be reduced on a sliding scale as follows:
2 fee reduction for every 1% below the uptime SLA. The level of penalty will be calculated depending on the number of hours for which the service was unavailable, minus the downtime permitted by the SLA: Uptime penalties in any month are capped at 50% of the total monthly fee Provision of Client data and Client Information Client shall have access to and be able to download all matter structured data in whole or part (in CSV machine readable format) and individual documents from matters via the Platform, in accordance with the Guaranteed Uptime levels (ie 99.9% of the time). If Client requires bulk download of all or some documents from the platformHCC, the Service Provider shall provide comply with any and all directions given by HCC from time to time in respect of such documents along with reference use.
5.3 The Service Provider confirms that it has not prior to the date hereof offered or given or agreed to give and shall not offer or give, or agree to give, to any structured data within 15 business days officer, employee or representative of a request HCC any gift or consideration of any kind as an inducement or reward for doing or refraining from doing, or for having done or refrained from doing, any act in relation to the Clientobtaining or execution of this Agreement or any Contract or any other contract with HCC or for showing or refraining from showing favour or disfavour to any person in relation to this Agreement or any Contract or any such other contract, setting out the documents required (all and shall procure that no such acts or part). Such documents omissions shall be made available via a secure file sharing platform done by any person employed by it or as instructed by the Client in line with Client’s security requirements. Guaranteed response times When the Client raises a support issue with Service Provider, acting on its behalf.
5.4 The Service Provider promises shall, at all times during the Term and for a period of ten (10) years thereafter, obtain and maintain in force with reputable insurers:
(a) all insurances required by law; and
(b) all insurances required to respond cover its potential liabilities under or in a timely fashion. Response times connection with this Agreement and any and all Contracts including public liability and professional indemnity insurance.
5.5 The response time measures how long it takes Service Provider to respond to a support request via email. Service Provider is deemed to have responded when it has replied to the Client’s initial request. This may be in the form of an email or telephone call, to either provide a solution or request further information. Response times are measured from the moment the Client submits a support request via email. Response times apply during standard working hours (9am — 6pm Monday to Friday) only, unless the contract between the Client and supplier specifically includes provisions for out of hours support. Subject to the above limitations, Service Provider shall respond to support requests within one (1) hour. Resolution times Service Provider will always endeavour to resolve problems as swiftly as possible and usually within three (3) working days . It recognises that the Client’s use provide HCC with written evidence of the Platform is key to compliance with its business and that any downtime can cost money. However, Service Provider is unable to provide guaranteed resolution times. This is because the nature and causes of problems can vary enormously. In all cases, Service Provider will make its best efforts to resolve problems as quickly as possible. It will also provide frequent progress reports to the Client. Exclusions Service Provider will do everything possible to rectify every issue in a timely manner. However, there are exclusions. This SLA does not apply to: ● Any Client or third party provided equipment, software, services. ● Software, equipment or services not purchased via and managed by Service Provider. Additionally, this SLA does not apply when: ● The problem has been caused by using the Service Providers equipment, software or service(s) in a way that is not recommended. ● The Client has made unauthorized changes to the configuration or set up of affected equipment, software or services. ● The Client has prevented Service Provider from performing required maintenance and update tasks or failed to respond to reasonable questions about the issue. ● The issue has been caused by unsupported devices, equipment, software or other services. This SLA does not apply in circumstances that could be reasonably said to be beyond Service Provider’s control. For instance: floods, war, acts of god, civil unrest and so on. This SLA also does not apply if the Client is in breach of its contract with Service Provider for any reason (e.g. late payment of fees, improper use, violation of terms, etcobligations at clause 5.4 promptly upon request.)
Appears in 1 contract
Samples: Framework Services Agreement
Obligations of the Service Provider. The Service Provider agrees:
(a) to 34.1. Not take or remove any Information from HSE premises without having received the written authorisation of the HSE. Such written authorisation must be issued in advance of the first instance and will apply thereafter;
34.2. Manage and process any Information which they acquire from the Personal Data only on behalf, and HSE in accordance with the written instructions Data Protection Xxx 0000, The Data Protection (Amendment) Xxx 0000 and Directive 2002/58/EC of Client from time to time, the European Parliament and in accordance with this agreementof the Council;
(b) that it has no reason to believe that the legislation applicable 34.3. Maintain secret and confidential all Information furnished to it (including or otherwise acquired by its servants, employees, agents, subsidiaries or sub-contractors save and to the Regulation) prevents it from fulfilling extent that such Information has been made available to the instructions received from Client public by the HSE or by any third party lawfully in possession thereof and its obligations under the contractentitled to make such disclosure without restriction;
(c) having regard 34.4. Take appropriate measures to ensure the state of technological development and the cost of implementing any measures, it will take appropriate technical and organisational measures against the unauthorised or unlawful processing reliability of the personal data and against the accidental loss Service Providers servants, employees, agents, subsidiaries or destruction of, or damage to, the personal data to ensure a level of security appropriate to: (i) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and (ii) the nature of the data to be protected; and take reasonable steps to ensure compliance with those measures;
(d) to ensure that all personnel sub-contractors who have access to and/or process Personal Data are obliged the Information; The Service Provider must be in a position to keep provide the Personal Data confidentialHSE with a named list of their servants, employees, agents, subsidiaries or sub-contractors authorised to have access to Information;
(e) not transfer 34.5. Not disclose Information to any Personal Data outside of the European Economic Area Service Provider's servants, employees, agents, subsidiaries or sub-contractors unless and only to the extent that such person needs to know such Information for the purposes of providing services in connection with the Service, and provided that such person has been made aware of the restrictions in this Agreement on the disclosure of the Information and has agreed in writing to comply with such restrictions;
34.6. Not disclose any Information to any third party without the prior written consent of the Data Controller has been obtained and HSE;
34.7. Not use the following conditions are fulfilled:
(i) Information directly or indirectly for any purpose other than in connection with the Data Controller or the Data Processor has provided appropriate safeguards in relation provision of services to the transferHSE regarding the Service;
(ii) 34.8. Not reverse engineer, de-compile or disassemble Information or attempt to use the data subject has enforceable rights and effective legal remediesInformation in any form other than machine readable object code, or allow a third party to do any of the above;
(iii) 34.9. Not make any press announcement or otherwise publicise the Data Processor complies business relationship with its obligations under the Data Protection Legislation by providing an adequate level HSE in any way including, without limitation, using the name of protection the HSE in any publicity material, unless authorised to any Personal Data that is transferred; and
(iv) the Data Processor complies with reasonable instructions notified to it in advance do so by the Data Controller with respect to HSE;
34.10. Only use the processing Information solely for the purposes of fulfilling the requirements of the Personal Data.Service;
(f) that it shall promptly notify Client about:
(i) any legally binding request for the 34.11. Implement appropriate human, organisational and technological controls to protect against accidental loss, destruction, damage, alteration, or disclosure of the Personal Data by a law enforcement authority, unless otherwise prohibited, such as a prohibition under criminal law, to preserve the confidentiality of a law enforcement investigationInformation;
(ii) any accidental 34.12. Take the necessary precautions for the prevention of unauthorised access to, the Information and in particular:
34.12.1. Keep all Information obtained from the HSE or unauthorised access, unlawful processing or disclosureotherwise relating to the Service separate from all documents and other records of the Service Provider;
(iii) any complaint and/or request received directly from 34.12.2. Only make such copies of the Data Subjects without responding Information as are necessary for the provision of services to that request, unless he has been otherwise authorised to do sothe HSE regarding the Service;
(g) to deal promptly and properly with 34.12.3. Mark all enquiries from Client relating to his processing of documentation containing the personal data Information as being subject to the transfer terms of this Agreement and indicate that it is contrary to abide the terms of this Agreement to copy, disclose or use in any manner or fashion such documentation without the prior written consent of the HSE;
34.12.4. Have all necessary access controls to include authentication and authorisation for access to Information to ensure its security and confidentiality.
34.13. Ensure all documents and other tangible objects containing or representing Information which have been disclosed by the advice HSE to the Service Provider, and all copies there of which are in the possession of the Supervisory Authority with regard Service Provider, shall be returned to the processing HSE upon the completion of the data transferred; andService. If requested, give the HSE access to them or (at cost) copies. In addition, the Service Provider will confirm, in writing, at the completion of the Service that all electronic Information received from the HSE has been deleted from any of the Service Provider’s devices which store Information;
34.14. Immediately inform the HSE of any actual or suspected breach in their security which could give rise to the actual or potential loss, theft, unauthorised release or disclosure of Information or any part thereof. In such an event the Service Provider will immediately supply the HSE will all the relevant facts surrounding the actual or suspected breach.
34.15. For the purposes of Freedom of Information the Service Provider shall:
34.15.1. Procure that its servants, employees, agents, subsidiaries or sub-contractors shall assist the HSE, at no additional charge and within such timescales as the HSE may reasonably specify, in meeting any requests for Information which are made to the HSE under the Freedom of Information Xxx 0000, such assistance to include (hbut not be limited to) maintain complete and accurate records and information the provision of a copy of the requested Information;
34.15.2. Notwithstanding anything to demonstrate its compliance the contrary in this Agreement, if the HSE receives a request for Information pursuant to the Freedom of Information Xxx 0000, the HSE shall be entitled to disclose all Information (in whatever form) as is necessary to comply with this clause andthe Freedom of Information Act, 1997;
34.15.3. If, at the request of Clientthe Service Provider, the HSE seeks to submit its data processing facilities for audit of the processing activities covered withhold Information protected by this Agreement which shall be carried out by Client and a competent authority determines, or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentialityparties subsequently agree, selected by Clientthat the Information is not exempt, where applicable, in agreement with then the Supervisory Authority. Guaranteed Uptime levels The Platform shall have 99.9% uptime, excluding any scheduled downtime required for updates to the platform outside of normal business hours (8am-6pm Monday to Friday) Service Provider shall schedule updates outside reimburse the HSE for all costs (including but not limited to legal costs) incurred by the HSE in seeking to withhold such Information from a request under the Freedom of Information Act, 1997;
34.15.4. Not (and shall procure that its servants, employees, agents, subsidiaries or sub- contractors do not) respond directly to a request for Information under the Freedom of Information Act, 1997 unless expressly authorised to do so by the HSE.
34.16. Ensure the security of Information stored on mobile computing devices, such as laptop or, notebook computers or, Personal Digital Assistants or, mobile storage device such as CDs, DVD’s or portable hard drives.
34.16.1. Only in exceptional circumstances and with the written consent of the HSE, should the Service Provider hold Information on mobile computing or mobile storage devices. Should the business hours (ie not 8am-6pm Monday to Friday) requirements necessitate the holding of Information on such devices then the Service Provider shall ensure that only the Information absolutely necessary for their purpose is stored in this format and in normal circumstances system updates shall be conducted after 8pm when no users are actively making that the Information is held on such devices only for the minimum amount of time necessary and furthermore, after
34.16.2. Where the use of mobile computing or mobile storage devices is a necessity then the platform. Where possible, Service Provider will notify Client take all necessary precautions to ensure the safety of these devices from theft or loss. As a minimum all mobile computing and mobile storage devices must be protected by the use of strong complex passwords.
34.16.3. The Service Provider must ensure that all Information held on mobile devices is secured by strong encryption. The encryption methods used must satisfy or better the requirements of the HSE Encryption Policy. At any time during the term of this Agreement the HSE may request the Service Provider to set out in advance of any planned updates writing the current encryption measures used and resulting scheduled downtimethe Service Provider will provide this information within 5 days. Measurement and penalties Uptime is measured over each calendar month. If uptime drops below the relevant thresholdIf, a penalty will be applied in the form reasonable opinion of a credit for the Client. This means HSE, the following month’s fee payable encryption standard employed by the Client will be reduced on a sliding scale as follows:
2 fee reduction for every 1% below the uptime SLA. The level of penalty will be calculated depending on the number of hours for which the service was unavailable, minus the downtime permitted by the SLA: Uptime penalties in any month are capped at 50% of the total monthly fee Provision of Client data and Client Information Client shall have access to and be able to download all matter structured data in whole or part (in CSV machine readable format) and individual documents from matters via the Platform, in accordance with the Guaranteed Uptime levels (ie 99.9% of the time). If Client requires bulk download of all or some documents from the platformService Provider is not sufficient, the Service Provider will implement, at their expense, whatever encryption standards are proposed by the HSE. At no time should cipher keys be held on the mobile device for the data which they secure. In addition, the Service Provider will at all times hold cipher keys in a secure fashion.
34.16.4. Under no circumstances encrypted or otherwise is the Service Provider sanctioned by the HSE to download or store Information on USB memory sticks/keys.
34.17. Ensure the security of Information in transit. Where it is necessary to transfer the Information, the Service Provider must take all necessary precautions to ensure the security of the Information before, during and after transit.
34.17.1. The Service Provider shall provide such documents along ensure that all transfers of the Information are legal, justifiable, and only the minimum Information absolutely necessary for a given purpose is transferred.
34.17.2. All transfers of information should, where possible, only take place electronically via secure on-line channels or electronic mail. Where the Service Provider transfers Information electronically, in any form and by any means, the Information must be encrypted using strong encryption. The encryption methods used must satisfy or better the requirements of the HSE Encryption Policy.
34.17.3. Where it is not possible to transfer the Information electronically, the Information may be encrypted and copied to a mobile storage device (with reference the exception of USB memory sticks/keys) and transported manually. The encryption methods used must satisfy or better the requirements of the HSE Encryption Policy. The encrypted mobile storage media, should wherever possible, be hand delivered by the Server Provider to, and be signed for by, the intended recipient. If this is not possible, the use of registered post or some other certifiable delivery method must be used.
34.18. Transfers of Information outside of the Republic of Ireland.
34.18.1. The Service Provider must seek the written consent of the HSE prior to the Service Provider sending Information outside the jurisdiction of the Republic of Ireland. The HSE may, at its discretion, prohibit the Service Provider from sending Information outside the jurisdiction of the Republic of Ireland.
34.18.2. Where the HSE has consented to the transfer of Information outside the Republic of Ireland, the Service Provider may only transfer information to a legal entity located in:
2.17.2.1 A country within the European Economic Area;
2.17.2.2 A country outside the European Economic Area but approved for this purpose by the EU Commission;
2.17.2.3 The United States of America only when the Information transferee has agreed in writing to be bound by the Safe Harbour rules.
34.19. If so requested by the HSE, the Service Provider shall:
34.19.1. Permit the HSE or its representatives (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Service Provider’s data processing facilities and activities (and/or those of its agents, subsidiaries and sub contractors) and comply with all reasonable requests or directions by the HSE to enable the HSE to verify and/or procure that the Service Provider is in full compliance with its obligations under this contract;
34.19.2. Make available for audit by the HSE or its representatives, (subject to reasonable and appropriate confidentiality undertakings), all staff procedures, processes and instructions that the Service Provider employ for the management of Information;
34.19.3. Permit the HSE or its representatives, (subject to reasonable and appropriate confidentiality undertakings), to inspect the contracts (Model Contracts), that the Service Provider has in place, governing the transfer of any structured data within 15 business days of a request Information from the Client, setting out the documents required (all or part). Such documents shall be made available via a secure file sharing platform or as instructed by the Client in line with Client’s security requirements. Guaranteed response times When the Client raises a support issue with Service Provider, Service Provider promises to respond in a timely fashion. Response times The response time measures how long it takes Service Provider to respond to a support request via emaillegal entities located outside the European Economic Area;
34.19.4. Service Provider is deemed to have responded when it has replied Forthwith return to the Client’s initial request. This may be in the form of an email HSE (or telephone callas it directs) all written material, to either provide a solution or request further information. Response times are measured photographs, Information and documentation obtained from the moment HSE together with all copies and reproductions made by the Client submits a support request via emailService Provider;
34.19.5. Response times apply during standard working hours (9am — 6pm Monday to Friday) onlyXxxxxxxxx destroy all notes, unless the contract between the Client memoranda and supplier specifically includes provisions for out of hours support. Subject to the above limitations, Service Provider shall respond to support requests within one (1) hour. Resolution times Service Provider will always endeavour to resolve problems as swiftly as possible and usually within three (3) working days . It recognises that the Client’s use Information kept in electronic form containing copies or abstracts of the Platform is key to its business and that any downtime can cost money. However, Service Provider is unable to provide guaranteed resolution times. This is because the nature and causes of problems can vary enormously. In all cases, Service Provider will make its best efforts to resolve problems as quickly as possible. It will also provide frequent progress reports to the Client. Exclusions Service Provider will do everything possible to rectify every issue in a timely manner. However, there are exclusions. This SLA does not apply to: ● Any Client or third party provided equipment, software, services. ● Software, equipment or services not purchased via and managed by Service Provider. Additionally, this SLA does not apply when: ● The problem has been caused by using the Service Providers equipment, software or service(s) in a way that is not recommended. ● The Client has made unauthorized changes to the configuration or set up of affected equipment, software or services. ● The Client has prevented Service Provider from performing required maintenance and update tasks or failed to respond to reasonable questions about the issue. ● The issue has been caused by unsupported devices, equipment, software or other services. This SLA does not apply in circumstances that could be reasonably said to be beyond Service Provider’s control. For instance: floods, war, acts of god, civil unrest and so on. This SLA also does not apply if the Client is in breach of its contract with Service Provider for any reason (e.g. late payment of fees, improper use, violation of terms, etcInformation.)
Appears in 1 contract
Samples: Services Agreements
Obligations of the Service Provider. The 2.1 To the extent that the Service Provider agreesProcesses HSE Personal Data as a Data Processor on behalf of the HSE, the Service Provider shall:
(a) 2.1.1 Comply at all times with their obligations as a Data Processor as set out in the Data Protection Legislation and this Agreement, and not undertake any actions or permit any actions to process be undertaken on their behalf which may cause the HSE to be in breach of the Data Protection Legislation;
2.1.2 Manage and Process any HSE Personal Data only on behalf, and they acquire from the HSE solely in accordance with the written documented instructions of Client from time to timethe HSE as set out in this Agreement, and in accordance with this agreement;
(b) that it has no reason to believe that the legislation applicable to it (including the Regulation) prevents it from fulfilling the instructions received from Client and its obligations under the contract;
(c) having regard to the state of technological development and the cost of implementing any measures, it will take appropriate technical and organisational measures against the unauthorised or unlawful processing of the personal data and against the accidental loss or destruction of, or damage to, the personal data to ensure a level of security appropriate to: (i) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and (ii) the nature of the data to be protected; and take reasonable steps to ensure compliance with those measures;
(d) to ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential
(e) not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(i) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer;
(ii) the data subject has enforceable rights and effective legal remedies;
(iii) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(iv) the Data Processor complies with reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data.
(f) that it shall promptly notify Client about:
(i) any legally binding request for the disclosure of the Personal Data by a law enforcement authority, unless otherwise prohibited, such as a prohibition under criminal law, to preserve the confidentiality of a law enforcement investigation;
(ii) any accidental or unauthorised access, unlawful processing or disclosure;
(iii) any complaint and/or request received directly from the Data Subjects without responding to that request, unless he has been otherwise authorised to do so;
(g) to deal promptly and properly with all enquiries from Client relating to his processing of the personal data subject to the transfer and to abide by the advice of the Supervisory Authority with regard to the processing transfers of the data transferred; and
(h) maintain complete and accurate records and information HSE Personal Data to demonstrate its compliance with this clause and, at the request of Client, to submit its data processing facilities for audit of the processing activities covered by this Agreement which shall be carried out by Client a third country or an inspection body composed of independent members and in possession of international organisation, unless required to do so by European Union or Irish Law to which the required professional qualifications bound by a duty of confidentiality, selected by Client, where applicable, in agreement with the Supervisory Authority. Guaranteed Uptime levels The Platform shall have 99.9% uptime, excluding any scheduled downtime required for updates to the platform outside of normal business hours (8am-6pm Monday to Friday) Service Provider shall schedule updates outside of business hours (ie not 8am-6pm Monday to Friday) and is subject; in normal circumstances system updates shall be conducted after 8pm when no users are actively making use of the platform. Where possible, Service Provider will notify Client in advance of any planned updates and resulting scheduled downtime. Measurement and penalties Uptime is measured over each calendar month. If uptime drops below the relevant threshold, such a penalty will be applied in the form of a credit for the Client. This means the following month’s fee payable by the Client will be reduced on a sliding scale as follows:
2 fee reduction for every 1% below the uptime SLA. The level of penalty will be calculated depending on the number of hours for which the service was unavailable, minus the downtime permitted by the SLA: Uptime penalties in any month are capped at 50% of the total monthly fee Provision of Client data and Client Information Client shall have access to and be able to download all matter structured data in whole or part (in CSV machine readable format) and individual documents from matters via the Platform, in accordance with the Guaranteed Uptime levels (ie 99.9% of the time). If Client requires bulk download of all or some documents from the platformcase, the Service Provider shall provide inform the HSE in writing of that legal requirement before Processing, unless that law prohibits such documents along with reference information on important grounds of public interest;
2.1.3 Notify the HSE prior to carrying out any structured data within 15 business days of a request instruction from the ClientHSE if, setting out the documents required (all or part). Such documents shall be made available via a secure file sharing platform or as instructed by the Client in line with Client’s security requirements. Guaranteed response times When the Client raises a support issue with Service Provider, Service Provider promises to respond in a timely fashion. Response times The response time measures how long it takes Service Provider to respond to a support request via email. Service Provider is deemed to have responded when it has replied to the Client’s initial request. This may be in the form of an email or telephone call, to either provide a solution or request further information. Response times are measured from the moment the Client submits a support request via email. Response times apply during standard working hours (9am — 6pm Monday to Friday) only, unless the contract between the Client and supplier specifically includes provisions for out of hours support. Subject to the above limitations, Service Provider shall respond to support requests within one (1) hour. Resolution times Service Provider will always endeavour to resolve problems as swiftly as possible and usually within three (3) working days . It recognises that the Client’s use of the Platform is key to its business and that any downtime can cost money. However, Service Provider is unable to provide guaranteed resolution times. This is because the nature and causes of problems can vary enormously. In all cases, Service Provider will make its best efforts to resolve problems as quickly as possible. It will also provide frequent progress reports to the Client. Exclusions Service Provider will do everything possible to rectify every issue in a timely manner. However, there are exclusions. This SLA does not apply to: ● Any Client or third party provided equipment, software, services. ● Software, equipment or services not purchased via and managed by Service Provider. Additionally, this SLA does not apply when: ● The problem has been caused by using the Service Providers equipmentopinion, software or service(s) such instruction is likely to result in a way Processing that is not recommended. ● The Client has made unauthorized changes to the configuration or set up of affected equipment, software or services. ● The Client has prevented Service Provider from performing required maintenance and update tasks or failed to respond to reasonable questions about the issue. ● The issue has been caused by unsupported devices, equipment, software or other services. This SLA does not apply in circumstances that could be reasonably said to be beyond Service Provider’s control. For instance: floods, war, acts of god, civil unrest and so on. This SLA also does not apply if the Client is in breach of its contract the Data Protection Legislation;
2.1.4 Only Process and use HSE Personal Data for the purposes of providing any contracted Services to the HSE and, not otherwise modify, amend or alter the contents of HSE Personal Data unless specifically authorised to do so in writing by the HSE;
2.1.5 Take all reasonable measures to ensure the reliability of any of the Service Providers employees and contractors who have access to HSE Personal Data and, upon the written request of the HSE, where legally permissible, provide the HSE with a named list of their employees and contractors who have access to HSE Personal Data;
2.1.6 Ensure that access to HSE Personal Data is limited to those of the Service Provider’s employees and contractors who need to have access to it, and that they are informed of the confidential nature of the HSE Personal Data, are under an obligation to keep such HSE Personal Data confidential, and comply with the obligations set out in this Agreement;
2.1.7 Ensure that all the relevant Service Provider for any reason employees and contractors with access to HSE Personal Data have been provided with and have undergone appropriate Data Protection and IT security training;
2.1.8 Ensure they have appropriate procedures in place which prevent the Service Provider’s employees and contractors from downloading HSE Personal Data from the Service Provider’s IT devices and Servers and storing this HSE Personal Data on the employees’ or contractors’ personal IT devices (e.g. late payment of fees, improper use, violation of terms, etc.)i.
Appears in 1 contract
Samples: Data Processing Agreement
Obligations of the Service Provider. The In consideration of the HSE directly making the Information available to the Service Provider, or the Service Provider agreesotherwise acquiring the Information, the Service Provider shall:
(a) to 34.1. Not take or remove any Information from HSE premises without having received the written authorisation of the HSE. Such written authorisation must be issued in advance of the first instance and will apply thereafter;
34.2. Manage and process any Information which they acquire from the Personal Data only on behalf, and HSE in accordance with the written instructions Data Protection Act 1988, The Data Protection (Amendment) Act 2003 and Directive 2002/58/EC of Client from time to time, the European Parliament and in accordance with this agreementof the Council;
(b) that it has no reason to believe that the legislation applicable 34.3. Maintain secret and confidential all Information furnished to it (including or otherwise acquired by its servants, employees, agents, subsidiaries or sub-contractors save and to the Regulation) prevents it from fulfilling extent that such Information has been made available to the instructions received from Client public by the HSE or by any third party lawfully in possession thereof and its obligations under the contractentitled to make such disclosure without restriction;
(c) having regard 34.4. Take appropriate measures to ensure the state of technological development and the cost of implementing any measures, it will take appropriate technical and organisational measures against the unauthorised or unlawful processing reliability of the personal data and against the accidental loss Service Providers servants, employees, agents, subsidiaries or destruction of, or damage to, the personal data to ensure a level of security appropriate to: (i) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and (ii) the nature of the data to be protected; and take reasonable steps to ensure compliance with those measures;
(d) to ensure that all personnel sub-contractors who have access to and/or process Personal Data are obliged the Information; The Service Provider must be in a position to keep provide the Personal Data confidentialHSE with a named list of their servants, employees, agents, subsidiaries or sub-contractors authorised to have access to Information;
(e) not transfer 34.5. Not disclose Information to any Personal Data outside of the European Economic Area Service Provider's servants, employees, agents, subsidiaries or sub-contractors unless and only to the extent that such person needs to know such Information for the purposes of providing services in connection with the Service, and provided that such person has been made aware of the restrictions in this Agreement on the disclosure of the Information and has agreed in writing to comply with such restrictions;
34.6. Not disclose any Information to any third party without the prior written consent of the Data Controller has been obtained and HSE;
34.7. Not use the following conditions are fulfilled:
(i) Information directly or indirectly for any purpose other than in connection with the Data Controller or the Data Processor has provided appropriate safeguards in relation provision of services to the transferHSE regarding the Service;
(ii) 34.8. Not reverse engineer, de-compile or disassemble Information or attempt to use the data subject has enforceable rights and effective legal remediesInformation in any form other than machine readable object code, or allow a third party to do any of the above;
(iii) 34.9. Not make any press announcement or otherwise publicise the Data Processor complies business relationship with its obligations under the Data Protection Legislation by providing an adequate level HSE in any way including, without limitation, using the name of protection the HSE in any publicity material, unless authorised to any Personal Data that is transferred; and
(iv) the Data Processor complies with reasonable instructions notified to it in advance do so by the Data Controller with respect to HSE;
34.10. Only use the processing Information solely for the purposes of fulfilling the requirements of the Personal Data.Service;
(f) that it shall promptly notify Client about:
(i) any legally binding request for the 34.11. Implement appropriate human, organisational and technological controls to protect against accidental loss, destruction, damage, alteration, or disclosure of the Personal Data by a law enforcement authority, unless otherwise prohibited, such as a prohibition under criminal law, to preserve the confidentiality of a law enforcement investigationInformation;
(ii) any accidental 34.12. Take the necessary precautions for the prevention of unauthorised access to, the Information and in particular:
34.12.1. Keep all Information obtained from the HSE or unauthorised access, unlawful processing or disclosureotherwise relating to the Service separate from all documents and other records of the Service Provider;
(iii) any complaint and/or request received directly from 34.12.2. Only make such copies of the Data Subjects without responding Information as are necessary for the provision of services to that request, unless he has been otherwise authorised to do sothe HSE regarding the Service;
(g) to deal promptly and properly with 34.12.3. Mark all enquiries from Client relating to his processing of documentation containing the personal data Information as being subject to the transfer terms of this Agreement and indicate that it is contrary to abide the terms of this Agreement to copy, disclose or use in any manner or fashion such documentation without the prior written consent of the HSE;
34.12.4. Have all necessary access controls to include authentication and authorisation for access to Information to ensure its security and confidentiality.
34.13. Ensure all documents and other tangible objects containing or representing Information which have been disclosed by the advice HSE to the Service Provider, and all copies there of which are in the possession of the Supervisory Authority with regard Service Provider, shall be returned to the processing HSE upon the completion of the data transferred; andService. If requested, give the HSE access to them or (at cost) copies. In addition, the Service Provider will confirm, in writing, at the completion of the Service that all electronic Information received from the HSE has been deleted from any of the Service Provider’s devices which store Information;
34.14. Immediately inform the HSE of any actual or suspected breach in their security which could give rise to the actual or potential loss, theft, unauthorised release or disclosure of Information or any part thereof. In such an event the Service Provider will immediately supply the HSE will all the relevant facts surrounding the actual or suspected breach.
34.15. For the purposes of Freedom of Information the Service Provider shall:
34.15.1. Procure that its servants, employees, agents, subsidiaries or sub-contractors shall assist the HSE, at no additional charge and within such timescales as the HSE may reasonably specify, in meeting any requests for Information which are made to the HSE under the Freedom of Information Act 1997, such assistance to include (hbut not be limited to) maintain complete and accurate records and information the provision of a copy of the requested Information;
34.15.2. Notwithstanding anything to demonstrate its compliance the contrary in this Agreement, if the HSE receives a request for Information pursuant to the Freedom of Information Act 1997, the HSE shall be entitled to disclose all Information (in whatever form) as is necessary to comply with this clause andthe Freedom of Information Act, 1997;
34.15.3. If, at the request of Clientthe Service Provider, the HSE seeks to submit its data processing facilities for audit of the processing activities covered withhold Information protected by this Agreement which shall be carried out by Client and a competent authority determines, or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentialityparties subsequently agree, selected by Clientthat the Information is not exempt, where applicable, in agreement with then the Supervisory Authority. Guaranteed Uptime levels The Platform shall have 99.9% uptime, excluding any scheduled downtime required for updates to the platform outside of normal business hours (8am-6pm Monday to Friday) Service Provider shall schedule updates outside reimburse the HSE for all costs (including but not limited to legal costs) incurred by the HSE in seeking to withhold such Information from a request under the Freedom of Information Act, 1997;
34.15.4. Not (and shall procure that its servants, employees, agents, subsidiaries or sub- contractors do not) respond directly to a request for Information under the Freedom of Information Act, 1997 unless expressly authorised to do so by the HSE.
34.16. Ensure the security of Information stored on mobile computing devices, such as laptop or, notebook computers or, Personal Digital Assistants or, mobile storage device such as CDs, DVD’s or portable hard drives.
34.16.1. Only in exceptional circumstances and with the written consent of the HSE, should the Service Provider hold Information on mobile computing or mobile storage devices. Should the business hours (ie not 8am-6pm Monday to Friday) requirements necessitate the holding of Information on such devices then the Service Provider shall ensure that only the Information absolutely necessary for their purpose is stored in this format and in normal circumstances system updates shall be conducted that the Information is held on such devices only for the minimum amount of time necessary and furthermore, after 8pm when no users are actively making such period that they will delete all Information from these devices.
34.16.2. Where the use of mobile computing or mobile storage devices is a necessity then the platform. Where possible, Service Provider will notify Client take all necessary precautions to ensure the safety of these devices from theft or loss. As a minimum all mobile computing and mobile storage devices must be protected by the use of strong complex passwords.
34.16.3. The Service Provider must ensure that all Information held on mobile devices is secured by strong encryption. The encryption methods used must satisfy or better the requirements of the HSE Encryption Policy. At any time during the term of this Agreement the HSE may request the Service Provider to set out in advance of any planned updates writing the current encryption measures used and resulting scheduled downtimethe Service Provider will provide this information within 5 days. Measurement and penalties Uptime is measured over each calendar month. If uptime drops below the relevant thresholdIf, a penalty will be applied in the form reasonable opinion of a credit for the Client. This means HSE, the following month’s fee payable encryption standard employed by the Client will be reduced on a sliding scale as follows:
2 fee reduction for every 1% below the uptime SLA. The level of penalty will be calculated depending on the number of hours for which the service was unavailable, minus the downtime permitted by the SLA: Uptime penalties in any month are capped at 50% of the total monthly fee Provision of Client data and Client Information Client shall have access to and be able to download all matter structured data in whole or part (in CSV machine readable format) and individual documents from matters via the Platform, in accordance with the Guaranteed Uptime levels (ie 99.9% of the time). If Client requires bulk download of all or some documents from the platformService Provider is not sufficient, the Service Provider will implement, at their expense, whatever encryption standards are proposed by the HSE. At no time should cipher keys be held on the mobile device for the data which they secure. In addition, the Service Provider will at all times hold cipher keys in a secure fashion.
34.16.4. Under no circumstances encrypted or otherwise is the Service Provider sanctioned by the HSE to download or store Information on USB memory sticks/keys.
34.17. Ensure the security of Information in transit. Where it is necessary to transfer the Information, the Service Provider must take all necessary precautions to ensure the security of the Information before, during and after transit.
34.17.1. The Service Provider shall provide such documents along ensure that all transfers of the Information are legal, justifiable, and only the minimum Information absolutely necessary for a given purpose is transferred.
34.17.2. All transfers of information should, where possible, only take place electronically via secure on-line channels or electronic mail. Where the Service Provider transfers Information electronically, in any form and by any means, the Information must be encrypted using strong encryption. The encryption methods used must satisfy or better the requirements of the HSE Encryption Policy.
34.17.3. Where it is not possible to transfer the Information electronically, the Information may be encrypted and copied to a mobile storage device (with reference the exception of USB memory sticks/keys) and transported manually. The encryption methods used must satisfy or better the requirements of the HSE Encryption Policy. The encrypted mobile storage media, should wherever possible, be hand delivered by the Server Provider to, and be signed for by, the intended recipient. If this is not possible, the use of registered post or some other certifiable delivery method must be used.
34.18. Transfers of Information outside of the Republic of Ireland.
34.18.1. The Service Provider must seek the written consent of the HSE prior to the Service Provider sending Information outside the jurisdiction of the Republic of Ireland. The HSE may, at its discretion, prohibit the Service Provider from sending Information outside the jurisdiction of the Republic of Ireland.
34.18.2. Where the HSE has consented to the transfer of Information outside the Republic of Ireland, the Service Provider may only transfer information to a legal entity located in:
2.17.2.1 A country within the European Economic Area;
2.17.2.2 A country outside the European Economic Area but approved for this purpose by the EU Commission;
2.17.2.3 The United States of America only when the Information transferee has agreed in writing to be bound by the Safe Harbour rules.
34.19. If so requested by the HSE, the Service Provider shall:
34.19.1. Permit the HSE or its representatives (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Service Provider’s data processing facilities and activities (and/or those of its agents, subsidiaries and sub contractors) and comply with all reasonable requests or directions by the HSE to enable the HSE to verify and/or procure that the Service Provider is in full compliance with its obligations under this contract;
34.19.2. Make available for audit by the HSE or its representatives, (subject to reasonable and appropriate confidentiality undertakings), all staff procedures, processes and instructions that the Service Provider employ for the management of Information;
34.19.3. Permit the HSE or its representatives, (subject to reasonable and appropriate confidentiality undertakings), to inspect the contracts (Model Contracts), that the Service Provider has in place, governing the transfer of any structured data within 15 business days of a request Information from the Client, setting out the documents required (all or part). Such documents shall be made available via a secure file sharing platform or as instructed by the Client in line with Client’s security requirements. Guaranteed response times When the Client raises a support issue with Service Provider, Service Provider promises to respond in a timely fashion. Response times The response time measures how long it takes Service Provider to respond to a support request via emaillegal entities located outside the European Economic Area;
34.19.4. Service Provider is deemed to have responded when it has replied Forthwith return to the Client’s initial request. This may be in the form of an email HSE (or telephone callas it directs) all written material, to either provide a solution or request further information. Response times are measured photographs, Information and documentation obtained from the moment HSE together with all copies and reproductions made by the Client submits a support request via emailService Provider;
34.19.5. Response times apply during standard working hours (9am — 6pm Monday to Friday) onlyXxxxxxxxx destroy all notes, unless the contract between the Client memoranda and supplier specifically includes provisions for out of hours support. Subject to the above limitations, Service Provider shall respond to support requests within one (1) hour. Resolution times Service Provider will always endeavour to resolve problems as swiftly as possible and usually within three (3) working days . It recognises that the Client’s use Information kept in electronic form containing copies or abstracts of the Platform is key to its business and that any downtime can cost money. However, Service Provider is unable to provide guaranteed resolution times. This is because the nature and causes of problems can vary enormously. In all cases, Service Provider will make its best efforts to resolve problems as quickly as possible. It will also provide frequent progress reports to the Client. Exclusions Service Provider will do everything possible to rectify every issue in a timely manner. However, there are exclusions. This SLA does not apply to: ● Any Client or third party provided equipment, software, services. ● Software, equipment or services not purchased via and managed by Service Provider. Additionally, this SLA does not apply when: ● The problem has been caused by using the Service Providers equipment, software or service(s) in a way that is not recommended. ● The Client has made unauthorized changes to the configuration or set up of affected equipment, software or services. ● The Client has prevented Service Provider from performing required maintenance and update tasks or failed to respond to reasonable questions about the issue. ● The issue has been caused by unsupported devices, equipment, software or other services. This SLA does not apply in circumstances that could be reasonably said to be beyond Service Provider’s control. For instance: floods, war, acts of god, civil unrest and so on. This SLA also does not apply if the Client is in breach of its contract with Service Provider for any reason (e.g. late payment of fees, improper use, violation of terms, etcInformation.)
Appears in 1 contract
Samples: Services Agreements
