Common use of Processor Obligations Clause in Contracts

Processor Obligations. 5.1 The Processor shall: (a) only carry out processing of personal data in accordance with the Controller’s documented instructions, including where relevant for transfers of third country resident personal data or to an international organisation, in which case the Processor shall inform the Controller of that legal requirement (unless prohibited by law), and shall immediately inform the Controller if, in the Processor’s opinion, any instruction given by the Controller to the Processor infringes Privacy and Data Protection Requirements; (b) notify the Controller without undue delay of any requests received from a Data Subject exercising their rights under Privacy and Data Protection Requirements and, taking into account the nature of the processing, assist the Controller by taking appropriate technical and organisational measures, insofar as this is possible, with fulfilling its obligations in respect of Data Subject rights under the Privacy and Data Protection Requirements, including responding to any subject access requests or requests from Data Subjects for access to, rectification, erasure or portability of personal data, or for restriction of processing or objections to processing of personal data; (c) take all security measures required in accordance with the Privacy and Data Protection Requirements (including where relevant, Article 21 and 22 of the 2018 Law), and at the request of the Controller provide a written description of, and rationale for, the technical and organisational measures implemented, or to be implemented, to protect the personal data against unauthorised or unlawful processing and accidental loss; and detect and report personal data breaches without undue delay; (d) where relevant for the processing of third country or other international organisation’s resident personal data and taking into account the nature of the processing and the information available to the Processor, use all measures to assist the Controller in ensuring compliance with the Controller’s obligations to; i. keep personal data secure (Article 21 of the 2018 Law); ii. notify personal data breaches to the Authority (Article 20 of the 2018 Law); iii. advise data subjects when there has been a personal data breach (Article 20(6) of the 2018 Law); iv. carry out data protection impact assessments (Article 16 of the 2018 Law); and v. consult with the Authority where a data protection impact assessment indicates that there is an unmitigated high risk to the processing (Article 17 of the 2018 Law). (e) without undue delay, inform the Controller of becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the personal data transmitted, stored or otherwise processed. The Processor accepts and acknowledges that the Controller shall direct in its sole discretion, any and all steps and measures taken to remedy a breach by the Processor under the Privacy and Data Protection Requirements, including but not limited to any communications with the Authority. The Processor agrees not to act in any way upon such disclosure without the prior written consent of the Controller; (f) make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Agreement and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller as set out in paragraph 5 below; and (g) in addition to the confidentiality obligations contained within the Agreement, ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 5.2 On expiry or termination of the Agreement, the Processor shall immediately cease to use personal data and shall arrange for its safe return or destruction as shall be required by the Controller (unless otherwise prescribed by law).

Appears in 2 contracts

Samples: Service Agreement, Service Agreement

AutoNDA by SimpleDocs

Processor Obligations. 5.1 The Processor shall: (a) only carry out processing of personal data in accordance with the Controller’s documented instructions, including where relevant for transfers of third country resident personal data or to an international organisation, in which case the Processor shall inform the Controller of that legal requirement (unless prohibited by law), and shall immediately inform the Controller if, in the Processor’s opinion, any instruction given by the Controller to the Processor infringes Privacy and Data Protection Requirements; (b) notify the Controller without undue delay of any requests received from a Data Subject exercising their rights under Privacy and Data Protection Requirements and, taking into account the nature of the processing, assist the Controller by taking appropriate technical and organisational measures, insofar as this is possible, with fulfilling its obligations in respect of Data Subject rights under the Privacy and Data Protection Requirements, including responding to any subject access requests or requests from Data Subjects for access to, rectification, erasure or portability of personal data, or for restriction of processing or objections to processing of personal data; (c) take all security measures required in accordance with the Privacy and Data Protection Requirements (including where relevant, Article 21 and 22 of the 2018 LawDP18), and at the request of the Controller provide a written description of, and rationale for, the technical and organisational measures implemented, or to be implemented, to protect the personal data against unauthorised or unauthorisedor unlawful processing and accidental loss; and detect and report personal data breaches without undue delay; (d) where relevant for the processing of third country or other international organisation’s resident personal data and taking into account the nature of the processing and the information available to the Processor, use all measures to assist the Controller in ensuring compliance with the Controller’s obligations to; i. keep personal data secure (Article 21 of the 2018 Law); ii. notify personal data breaches to the Authority (Article 20 of the 2018 Law); iii. advise data subjects when there has been a personal data breach (Article 20(6) of the 2018 Law); iv. carry out data protection impact assessments (Article 16 of the 2018 Law); and v. consult with the Authority where a data protection impact assessment indicates that there is an unmitigated high risk to the processing (Article 17 of the 2018 Law). (e) without undue delay, inform the Controller of becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the personal data transmitted, stored or otherwise processed. The Processor accepts and acknowledges that the Controller shall direct in its sole discretion, any and all steps and measures taken to remedy a breach by the Processor under the Privacy and Data Protection Requirements, including but not limited to any communications with the Authority. The Processor agrees not to act in any way upon such disclosure without the prior written consent of the Controller; (f) make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Agreement and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller as set out in paragraph 5 below; and (g) in addition to the confidentiality obligations contained within the Agreement, ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 5.2 On expiry or termination of the Agreement, the Processor shall immediately cease to use personal data and shall arrange for its safe return or destruction as shall be required by the Controller (unless otherwise prescribed by law).

Appears in 2 contracts

Samples: Services Agreement, Services Agreement

AutoNDA by SimpleDocs

Processor Obligations. 5.1 The Where relevant the Processor shall: (a) only carry out processing of personal data in accordance with the Controller’s Authority documented instructions, including where relevant for transfers of third country resident personal data or to an international organisation, in which case the Processor shall inform the Controller Authority of that legal requirement (unless prohibited by law), and shall immediately inform the Controller Authority if, in the Processor’s opinion, any instruction given by the Controller Authority to the Processor infringes Privacy and Data Protection Requirements; (b) notify the Controller Authority without undue delay of any requests received from a Data Subject exercising their rights under Privacy and Data Protection Requirements and, taking into account the nature of the processing, assist the Controller Authority by taking appropriate technical and organisational measures, insofar as this is possible, with fulfilling its obligations in respect of Data Subject rights under the Privacy and Data Protection Requirements, including responding to any subject access requests or requests from Data Subjects for access to, rectification, erasure or portability of personal data, or for restriction of processing or objections to processing of personal data; (c) take all security measures required in accordance with the Privacy and Data Protection Requirements (including where relevant, Article 21 and 22 of the 2018 Law), and at the request of the Controller Authority provide a written description of, and rationale for, the technical and organisational measures implemented, or to be implemented, to protect the personal data against unauthorised or unlawful processing and accidental loss; and detect and report personal data breaches without undue delay; (d) where relevant for the processing of third country or other international organisation’s resident personal data and taking into account the nature of the processing and the information available to the Processor, use all measures to assist the Controller Authority in ensuring compliance with the Controller’s Authority obligations to; i. keep personal data secure (Article 21 of the 2018 Law); ii. notify personal data breaches to the Authority (Article 20 of the 2018 Law); iii. advise data subjects when there has been a personal data breach (Article 20(6) of the 2018 Law); iv. carry out data protection impact assessments (Article 16 of the 2018 Law); and v. consult with the Authority where a data protection impact assessment indicates that there is an unmitigated high risk to the processing (Article 17 of the 2018 Law). (e) without undue delay, inform the Controller of becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the personal data transmitted, stored or otherwise processed. The Processor accepts and acknowledges that the Controller shall direct in its sole discretion, any and all steps and measures taken to remedy a breach by the Processor under the Privacy and Data Protection Requirements, including but not limited to any communications with the Authority. The Processor agrees not to act in any way upon such disclosure without the prior written consent of the Controller; (f) make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Agreement and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller as set out in paragraph 5 below; and (g) in addition to the confidentiality obligations contained within the Agreement, ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 5.2 On expiry or termination of the Agreement, the Processor shall immediately cease to use personal data and shall arrange for its safe return or destruction as shall be required by the Controller (unless otherwise prescribed by law).

Appears in 1 contract

Samples: Services Agreement

Draft better contracts in just 5 minutes Get the weekly Law Insider newsletter packed with expert videos, webinars, ebooks, and more!