Processor Obligations. Without prejudice to the generality of clause 3, PROCESSOR shall, in relation to any personal and special category data processed in connection with the performance by PROCESSOR of its obligations under this Agreement: 7.1. process personal data only on the written instructions of CONTROLLER unless PROCESSOR is required by any Data Protection Legislation. Where PROCESSOR is relying on Data Protection Legislation as the basis for processing personal data, PROCESSOR shall promptly notify CONTROLLER of this before performing the processing required by the Data Protection Legislation unless the Data Protection Legislation prohibit PROCESSOR from so notifying CONTROLLER; 7.2. ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 7.3. ensure that all personnel who have access to and/or process personal data are (i) obliged to keep the personal data confidential and (ii) aware of their responsibilities and are suitably trained in connection with processing the personal and special category data; 7.4. not transfer any personal and special category data outside of the United Kingdom or the European Union unless the prior written consent of the CONTROLLER has been obtained and the following conditions are fulfilled: a) PROCESSOR has provided appropriate safeguards and/or permissions in relation to the transfer; b) the data subject has enforceable rights and effective legal remedies; c) PROCESSOR complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal and special category data that is transferred; and d) PROCESSOR complies with reasonable instructions notified to it in advance by CONTROLLER with respect to the processing of the personal data; 7.5. assist CONTROLLER, in compliance with legislation, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 7.6. notify CONTROLLER immediately on becoming aware of a personal data breach; 7.7. at the written direction of CONTROLLER, delete personal data in accordance with Clause 2 above or return personal data and copies thereof to CONTROLLER on termination of this Agreement unless required by Data Protection Legislation to store the personal data;
Appears in 2 contracts
Samples: Data Processing Agreement, Data Processing Agreement
Processor Obligations. Without prejudice 4.1. The provisions in this paragraph 4 only apply to the generality extent Holibob acts as Processor.
4.2. The scope, nature and purpose of clause 3processing by Holibob, PROCESSOR the duration of the processing and the types of Personal Data and categories of data subject are set out in Appendix 1 (Processor Details) to this Schedule.
4.3. Holibob shall:
4.3.1. only process the Personal Data in accordance with the Partner's written instructions from time to time, unless otherwise required by law, in relation to any personal and special category data processed in connection with which case, Xxxxxxx shall inform the performance by PROCESSOR Partner of its obligations under this Agreement:
7.1. process personal data only that legal requirement before carrying out the processing, unless that law prohibits such information on the written instructions important grounds of CONTROLLER unless PROCESSOR is required by any Data Protection Legislation. Where PROCESSOR is relying on Data Protection Legislation as the basis for processing personal data, PROCESSOR shall promptly notify CONTROLLER of this before performing the processing required by the Data Protection Legislation unless the Data Protection Legislation prohibit PROCESSOR from so notifying CONTROLLERpublic interest;
7.24.3.2. ensure that it has in place persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
4.3.3. take all appropriate technical and organisational measures (including such measures set out in Appendix 2 as applicable to protect against unauthorised the Service) to ensure a level of security for the Personal Data which is appropriate to the risks to individuals and to the Personal Data that may result from the accidental or unlawful processing of personal data and against accidental loss or destruction destruction, loss, alteration, unauthorised disclosure of, or damage to, personal data, appropriate access to the harm Personal Data;
4.3.4. enter into a written agreement with each sub-processor that might result from imposes obligations on the unauthorised or unlawful processing or accidental loss, destruction or damage sub-processor which are no less onerous than those imposed on Holibob as Processor. Holibob shall remain fully liable to the Partner for the acts and omissions of its sub- processors;
4.3.5. taking into account the nature of the processing, provide reasonable assistance, by appropriate technical and organisational measures, insofar as this is possible, to enable the Partner to fulfil their obligations to respond to any requests from data subjects in accordance with Data Protection Legislation;
4.3.6. provide reasonably required assistance to be protected, having regard enable the Partner to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access comply with their obligations under Data Protection Legislation relating to personal data can be restored breach notifications, data protection impact assessments and prior consultations;
4.3.7. in the event that it becomes aware of a timely manner after an incidentpersonal data breach involving or affecting any Personal Data, notify the Partner without undue delay giving full details of the same, and regularly assessing and evaluating Holibob shall reasonably cooperate in order to enable the effectiveness of the technical and organisational measures adopted by it);
7.3. ensure that all personnel who have access Partner to and/or process personal data are (i) obliged to keep the personal data confidential and (ii) aware of comply with their responsibilities and are suitably trained in connection with processing the personal and special category data;
7.4. not transfer any personal and special category data outside of the United Kingdom or the European Union unless the prior written consent of the CONTROLLER has been obtained and the following conditions are fulfilled:
a) PROCESSOR has provided appropriate safeguards and/or permissions own requirements in relation to the transferpersonal data breach under Data Protection Legislation;
b) 4.3.8. upon expiration or termination of the data subject has enforceable rights and effective legal remedies;
c) PROCESSOR complies with its obligations under provision of the Data Protection Legislation by providing an adequate level of protection to any personal and special category data that is transferred; and
d) PROCESSOR complies with reasonable instructions notified to it in advance by CONTROLLER with respect Services relating to the processing of the personal dataPersonal Data, at the Partner's choice, return or erase all such Personal Data (including any copies of it) in its possession or control unless Holibob is required to retain or store Personal Data in order to comply with Applicable Laws;
7.54.3.9. assist CONTROLLER, make available to the Partner all information necessary to demonstrate that Holibob is in compliance with legislationthis paragraph 4; and
4.3.10. permit the Partner (either itself or through a professional and reputable third party auditor appointed by the Partner) to audit Xxxxxxx's compliance with this paragraph 4 on not more than one occasion in each calendar year and upon providing Holibob with a minimum of twenty (20) Business Days' notice. Holibob shall provide the Partner (and their third party auditor as the case may be) on reasonable request with such reasonable and supervised access to Holibob's documents, in responding premises and systems solely as required for the purposes of compliance with this paragraph 4.3.10.
4.4. The Partner hereby provides its general authorisation to the appointment of sub-processors by Xxxxxxx, provided that the Partner shall be appropriately notified of any proposed addition to, or replacement of, any sub-processor and given a reasonable opportunity to object to any request from a data subject and such change. The Partner must raise any reasonable objections in ensuring compliance with its obligations under writing on legitimate grounds within 14 days after receiving notice of the Data Protection Legislation with respect to securitychange, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
7.6otherwise the change will be deemed accepted. notify CONTROLLER immediately on becoming aware In the event of a personal data breach;
7.7. at the written direction of CONTROLLER, delete personal data any objection reasonably raised in accordance with Clause 2 above or return personal data and copies thereof this paragraph, the Parties shall enter into good faith discussions to CONTROLLER on termination of this Agreement unless required by Data Protection Legislation agree a workaround. However, if no such workaround is agreed in Holibob’s reasonable opinion, Holibob shall be entitled to store terminate the personal data;Services relating to the change in sub-processor.
Appears in 1 contract
Processor Obligations. Without prejudice 4.1. The provisions in this paragraph 4 only apply to the generality extent Holibob acts as Processor.
4.2. The scope, nature and purpose of clause 3processing by Holibob, PROCESSOR the duration of the processing and the types of Personal Data and categories of data subject are set out in Appendix 1 (Processor Details) to this Schedule.
4.3. Holibob shall:
4.3.1. only process the Personal Data in accordance with the Partner's written instructions from time to time, unless otherwise required by law, in relation to any personal and special category data processed in connection with which case, Xxxxxxx shall inform the performance by PROCESSOR Partner of its obligations under this Agreement:
7.1. process personal data only that legal requirement before carrying out the processing, unless that law prohibits such information on the written instructions important grounds of CONTROLLER unless PROCESSOR is required by any Data Protection Legislation. Where PROCESSOR is relying on Data Protection Legislation as the basis for processing personal data, PROCESSOR shall promptly notify CONTROLLER of this before performing the processing required by the Data Protection Legislation unless the Data Protection Legislation prohibit PROCESSOR from so notifying CONTROLLERpublic interest;
7.24.3.2. ensure that it has in place persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
4.3.3. take all appropriate technical and organisational measures (including such measures set out in Appendix 2 as applicable to protect against unauthorised the Service) to ensure a level of security for the Personal Data which is appropriate to the risks to individuals and to the Personal Data that may result from the accidental or unlawful processing of personal data and against accidental loss or destruction destruction, loss, alteration, unauthorised disclosure of, or damage to, personal data, appropriate access to the harm Personal Data;
4.3.4. enter into a written agreement with each sub-processor that might result from imposes obligations on the unauthorised or unlawful processing or accidental loss, destruction or damage sub-processor which are no less onerous than those imposed on Holibob as Processor. Holibob shall remain fully liable to the Partner for the acts and omissions of its sub- processors;
4.3.5. taking into account the nature of the processing, provide reasonable assistance, by appropriate technical and organisational measures, insofar as this is possible, to enable the Partner to fulfil their obligations to respond to any requests from data subjects in accordance with Data Protection Legislation;
4.3.6. provide reasonably required assistance to be protected, having regard enable the Partner to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access comply with their obligations under Data Protection Legislation relating to personal data can be restored breach notifications, data protection impact assessments and prior consultations;
4.3.7. in the event that it becomes aware of a timely manner after an incidentpersonal data breach involving or affecting any Personal Data, notify the Partner without undue delay giving full details of the same, and regularly assessing and evaluating Holibob shall reasonably cooperate in order to enable the effectiveness of the technical and organisational measures adopted by it);
7.3. ensure that all personnel who have access Partner to and/or process personal data are (i) obliged to keep the personal data confidential and (ii) aware of comply with their responsibilities and are suitably trained in connection with processing the personal and special category data;
7.4. not transfer any personal and special category data outside of the United Kingdom or the European Union unless the prior written consent of the CONTROLLER has been obtained and the following conditions are fulfilled:
a) PROCESSOR has provided appropriate safeguards and/or permissions own requirements in relation to the transferpersonal data breach under Data Protection Legislation;
b) 4.3.8. upon expiration or termination of the data subject has enforceable rights and effective legal remedies;
c) PROCESSOR complies with its obligations under provision of the Data Protection Legislation by providing an adequate level of protection to any personal and special category data that is transferred; and
d) PROCESSOR complies with reasonable instructions notified to it in advance by CONTROLLER with respect Services relating to the processing of the personal dataPersonal Data, at the Partner's choice, return or erase all such Personal Data (including any copies of it) in its possession or control unless Holibob is required to retain or store Personal Data in order to comply with Applicable Laws;
7.54.3.9. assist CONTROLLER, make available to the Partner all information necessary to demonstrate that Holibob is in compliance with legislationthis paragraph 4; and
4.3.10. permit the Partner (either itself or through a professional and reputable third party auditor appointed by the Partner) to audit Xxxxxxx's compliance with this paragraph 4 on not more than one occasion in each calendar year and upon providing Holibob with a minimum of twenty (20) Business Days' notice. Holibob shall provide the Partner (and their third party auditor as the case may be) on reasonable request with such reasonable and supervised access to Holibob's documents, in responding premises and systems solely as required for the purposes of compliance with this paragraph 4.3.10.
4.4. The Partner hereby provides its general authorisation to the appointment of sub-processors by Xxxxxxx, provided that the Partner shall be appropriately notified of any proposed addition to, or replacement of, any sub-processor and given a reasonable opportunity to object to any request from a data subject and such change. The Partner must raise any reasonable objections in ensuring compliance with its obligations under writing on legitimate grounds within 14 days after receiving notice of the Data Protection Legislation with respect to securitychange, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
7.6otherwise the change will be deemed accepted. notify CONTROLLER immediately on becoming aware In the event of a personal data breach;
7.7. at the written direction of CONTROLLER, delete personal data any objection reasonably raised in accordance with Clause 2 above or return personal data and copies thereof this paragraph, the Parties shall enter into good faith discussions to CONTROLLER on termination of this Agreement unless required by Data Protection Legislation agree a workaround. However, LI QR VXFK ZRUNDURXQG LV DJUHHG LQ +ROLERE¶V UHD terminate the Services relating to store the personal data;change in sub-processor.
Appears in 1 contract
Processor Obligations. Without prejudice to the generality of clause 3, PROCESSOR Askia shall, in relation to any personal and special category data Personal Data processed in connection with the performance by PROCESSOR Askia of its obligations under this Agreement:
7.1. (a) process personal data that Personal Data only on the written instructions of CONTROLLER the Customer unless PROCESSOR Askia is otherwise required by any to process the Personal Data Protection Legislation. Where PROCESSOR is relying on Data Protection Legislation as the basis for processing personal data, PROCESSOR to comply with European or European member state Applicable Law and in which case Askia shall promptly notify CONTROLLER the Customer of this before performing the processing required by the Data Protection Legislation such Applicable Law unless the Data Protection Legislation prohibit PROCESSOR such law prohibits Askia from so notifying CONTROLLERthe Customer on ground of public interests;
7.2. (b) ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data Personal Data and against accidental loss or destruction of, or damage to, personal dataPersonal Data (“Security Breach”), appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting personal dataPersonal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
7.3. ensure that all personnel who have access to and/or process personal data are (id) obliged to keep the personal data confidential and (ii) aware of their responsibilities and are suitably trained in connection with processing the personal and special category data;
7.4. not transfer any personal and special category data Personal Data outside of the United Kingdom or the European Union EEA unless the prior written consent of the CONTROLLER has been obtained authorised pursuant to paragraph 1.6 below and unless the following conditions are fulfilled:
a(i) PROCESSOR the Customer (or its customer) or Askia has provided appropriate safeguards and/or permissions in relation to the transfer;
b(ii) the data subject has enforceable rights and effective legal remedies;
c(iii) PROCESSOR Askia complies with its obligations under the Data Protection Legislation Laws by providing an adequate level of protection to any personal and special category data Personal Data that is transferred; and
d(iv) PROCESSOR Askia complies with reasonable instructions notified to it in advance by CONTROLLER the Customer with respect to the processing of the personal dataPersonal Data;
7.5. (e) assist CONTROLLER, in compliance with legislation, the Customer in responding to any request from a data subject Data Subject for exercising their rights under the Data Protection Laws and in ensuring compliance with its obligations under the Data Protection Legislation Laws with respect to security, breach notificationsnotifications and communications, impact assessments and consultations with supervisory authorities or regulators;
7.6. (f) notify CONTROLLER immediately the Customer without undue delay on becoming aware of a personal data breachSecurity Breach;
7.7. (g) at the written direction of CONTROLLERthe Customer, delete personal data in accordance with Clause 2 above or return personal data Personal Data and copies thereof to CONTROLLER the Customer on termination of this the Agreement unless required by Data Protection Legislation Applicable Law to store the personal data;Personal Data; and
(h) maintain complete and accurate records and information to demonstrate its compliance with this Schedule
(i) allow the Customer or its third party auditors to access and inspect Askia’s premises, records and personnel relevant to any processing of Customer Personal Data to enable the Customer to audit and verify that Askia is complying with its obligations under this Schedule 3 and under Data Protection Laws (“Data Protection Audit”). The Customer shall provide Askia with reasonable prior written notice of any Data Protection Audit, only conduct such audits during normal business hours and taking all reasonable measures to prevent disruption to Askia’s business and operations. The Customer may not exercise its audit rights under this paragraph 1.5(d)(i) more than once in any twelve (12) calendar month period, except if (i) required by instruction of an authorised regulator; or (ii) if the Customer reasonably believes an audit is necessary due to a Security Breach suffered or which is likely to be suffered by Askia.
Appears in 1 contract
Samples: Software License Agreement