Processor’s Obligations. Except where expressly permitted by Article 28 (3)(a) GDPR, Processor shall process data subjects’ Data only within the scope of the Agreement and the instructions issued by Controller. Where Processor believes that an instruction would be in breach of applicable law, Processor shall notify Controller of such belief without undue delay. Processor shall be entitled to suspend performance on such instruction until Controller confirms or modifies such instruction. Processor shall, within Processor’s scope of responsibility, organize Processor’s internal organization so it satisfies the specific requirements of data protection. Processor shall implement technical and organizational measures to ensure the adequate protection of Controller’s Data, which measures shall fulfil the requirements of the GDPR and specifically its Article 32. Processor shall implement technical and organizational measures and safeguards that ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services and shall implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. Controller is familiar with these technical and organizational measures, and it shall be Controller’s responsibility that such measures ensure a level of security appropriate to the risk. The parties agree to refer to the existing certification of Processor by Kiwa International Cert GmbH in accordance with DIN ISO/IEC 27001:2015 which is considered sufficient evidence for these purposes by Controller and which is available on the website of Processor (xxx.xxxxxxx.xxx). Processor reserves the right to modify the measures and safeguards implemented, provided, however, that that the level of security shall not be less protective than initially agreed upon. Processor shall support Controller, insofar as is agreed upon by the parties, and where possible for Processor, in fulfilling data subjects’ requests and claims, as detailed in chapter III of the GDPR and in fulfilling the obligations enumerated in Articles 33 to 36 GDPR. Processor shall ensure that all employees involved in Contract Processing of Controller’s Data and other such persons as may be involved in Contract Processing within Processor’s scope of responsibility shall only do so within the scope of the instructions. Furthermore, Processor shall ensure that any person entitled to process Data on behalf of Controller has undertaken a commitment to confidentiality under terms similar to the confidentiality terms of the Agreement. All such confidentiality obligations shall survive the termination or expiration of such Contract Processing. Processor shall notify Controller without undue delay if Processor becomes aware of any Data breaches within Processor’s scope of responsibility. Processor shall implement the measures necessary for securing Data and for mitigating potential negative consequences for the data subject; the Processor shall coordinate such efforts with Controller without undue delay. Processor shall notify to Controller the point of contact for any issues related to data protection arising out of or in connection with the Agreement. The Exhibit provides for a list of the initially designated persons. Processor shall correct or erase Data if so instructed by Controller and where covered by the scope of the instructions permissible. Where an erasure, consistent with data protection requirements, or a corresponding restriction of processing is impossible, Processor shall, based on Controller’s instructions, and unless agreed upon differently in the Agreement, destroy, in compliance with data protection requirements, all carrier media and other material or return the same to Controller. In specific cases designated by Controller, such Data shall be stored or handed over. The associated cost for doing so and protective measures to put in place shall be agreed upon separately, unless already agreed upon in the Agreement. Processor shall, upon termination of Contract Processing and upon Controller’s instruction, return all Data, carrier media and other materials to Controller or delete the same. Where a data subject asserts any claims against Controller in accordance with Article 82 of the GDPR, Processor shall support Controller in defending against such claims, where possible at Controller’s cost as set out in Section 6 para. 3. Controller shall notify Processor without undue delay, and comprehensively, of any defect or irregularity with regard to provisions on data protection detected by Controller in the results of Processor’s work.
Appears in 14 contracts
Samples: Software as a Service Agreement, Software as a Service Agreement, Master Services Agreement
Processor’s Obligations. 1. Except where expressly permitted by Article 28 (3)(a) GDPR, Processor shall process data subjects’ Data only within the scope of the Agreement and the instructions issued by Controller. Where Processor believes that an instruction would be in breach of applicable law, Processor shall notify Controller of such belief without undue delay. Processor shall be entitled to suspend performance on such instruction until Controller confirms or modifies such instruction.
2. Processor shall, within Processor’s scope of responsibility, organize Processor’s internal organization so it satisfies the specific requirements of data protection. Processor shall implement technical and organizational measures to ensure the adequate protection of Controller’s Data, which measures shall fulfil the requirements of the GDPR and specifically its Article 32. Processor shall implement technical and organizational measures and safeguards that ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services and shall implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. Controller is familiar with these technical and organizational measures, and it shall be Controller’s responsibility that such measures ensure a level of security appropriate to the risk. The parties agree to refer to the existing certification of Processor by Kiwa International Cert GmbH in accordance with DIN ISO/IEC 27001:2015 which is considered sufficient evidence for these purposes by Controller and which is available on the website of Processor (xxx.xxxxxxx.xxx).
3. Processor reserves the right to modify the measures and safeguards implemented, provided, however, that that the level of security shall not be less protective than initially agreed upon.
4. Processor shall support Controller, insofar as is agreed upon by the parties, and where possible for Processor, in fulfilling data subjects’ requests and claims, as detailed in chapter III of the GDPR and in fulfilling the obligations enumerated in Articles 33 to 36 GDPR.
5. Processor shall ensure that all employees involved in Contract Processing of Controller’s Data and other such persons as may be involved in Contract Processing within Processor’s scope of responsibility shall only do so within the scope of the instructions. Furthermore, Processor shall ensure that any person entitled to process Data on behalf of Controller has undertaken a commitment to confidentiality under terms similar to the confidentiality terms of the Agreement. All such confidentiality obligations shall survive the termination or expiration of such Contract Processing.
6. Processor shall notify Controller without undue delay if Processor becomes aware of any Data breaches within Processor’s scope of responsibility.
7. Processor shall implement the measures necessary for securing Data and for mitigating potential negative consequences for the data subject; the Processor shall coordinate such efforts with Controller without undue delay.
8. Processor shall notify to Controller the point of contact for any issues related to data protection arising out of or in connection with the Agreement. The Exhibit provides for a list of the initially designated persons.
9. Processor shall correct or erase Data if so instructed by Controller and where covered by the scope of the instructions permissible. Where an erasure, consistent with data protection requirements, or a corresponding restriction of processing is impossible, Processor shall, based on Controller’s instructions, and unless agreed upon differently in the Agreement, destroy, in compliance with data protection requirements, all carrier media and other material or return the same to Controller.
10. In specific cases designated by Controller, such Data shall be stored or handed over. The associated cost for doing so and protective measures to put in place shall be agreed upon separately, unless already agreed upon in the Agreement.
11. Processor shall, upon termination of Contract Processing and upon Controller’s instruction, return all Data, carrier media and other materials to Controller or delete the same.
12. Where a data subject asserts any claims against Controller in accordance with Article 82 of the GDPR, Processor shall support Controller in defending against such claims, where possible at Controller’s cost as set out in Section 6 para. 3.
1. Controller shall notify Processor without undue delay, and comprehensively, of any defect or irregularity with regard to provisions on data protection detected by Controller in the results of Processor’s work.
Appears in 5 contracts
Samples: Software Subscription Agreement, Software Subscription Agreement, End User License Agreement
Processor’s Obligations. 1. Except where expressly permitted by Article 28 (3)(a) GDPR, Processor shall process data subjects’ Data only within the scope of the Agreement and the instructions issued by Controller. Where Processor believes that an instruction would be in breach of applicable law, Processor shall notify Controller of such belief without undue delay. Processor shall be entitled to suspend performance on such instruction until Controller confirms or modifies such instruction.
2. Processor shall, within Processor’s scope of responsibility, organize Processor’s internal organization so it satisfies the specific requirements of data protection. Processor shall implement technical and organizational measures to ensure the adequate protection of Controller’s Data, which measures shall fulfil the requirements of the GDPR and specifically its Article 32. Processor shall implement technical and organizational measures and safeguards that ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services and shall implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. Controller is familiar with these technical and organizational measures, and it shall be Controller’s responsibility that such measures ensure a level of security appropriate to the risk. The parties agree to refer to the existing certification of Processor by Kiwa International Cert GmbH in accordance with DIN ISO/IEC 27001:2015 which is considered sufficient evidence for these purposes by Controller and which is available on the website of Processor (xxx.xxxxxxx.xxx).
3. Processor reserves the right to modify the measures and safeguards implemented, provided, however, that that the level of security shall not be less protective than initially agreed upon.
4. Processor shall support Controller, insofar as is agreed upon by the parties, and where possible for Processor, in fulfilling data subjects’ requests and claims, as detailed in chapter III of the GDPR and in fulfilling the obligations enumerated in Articles 33 to 36 GDPR.
5. Processor shall ensure that all employees involved in Contract Processing of Controller’s Data and other such persons as may be involved in Contract Processing within Processor’s scope of responsibility shall only do so within the scope of the instructions. Furthermore, Processor shall ensure that any person entitled to process Data on behalf of Controller has undertaken a commitment to confidentiality under terms similar to the confidentiality terms of the Agreement. All such confidentiality obligations shall survive the termination or expiration of such Contract Processing.
6. Processor shall notify Controller without undue delay if Processor becomes aware of any Data breaches within Processor’s scope of responsibility.
7. Processor shall implement the measures necessary for securing Data and for mitigating potential negative consequences for the data subject; the Processor shall coordinate such efforts with Controller without undue delay.
8. Processor shall notify to Controller the point of contact for any issues related to data protection arising out of or in connection with the Agreement. The Exhibit provides for a list of the initially designated persons.
9. Processor shall correct or erase Data if so instructed by Controller and where covered by the scope of the instructions permissible. Where an erasure, consistent with data protection requirements, or a corresponding restriction of processing is impossible, Processor shall, based on Controller’s instructions, and unless agreed upon differently in the Agreement, destroy, in compliance with data protection requirements, all carrier media and other material or return the same to Controller.
10. In specific cases designated by Controller, such Data shall be stored or handed over. The associated cost for doing so and protective measures to put in place shall be agreed upon separately, unless already agreed upon in the Agreement.
11. Processor shall, upon termination of Contract Processing and upon Controller’s instruction, return all Data, carrier media and other materials to Controller or delete the same.
12. Where a data subject asserts any claims against Controller in accordance with Article 82 of the GDPR, Processor shall support Controller in defending against such claims, where possible at Controller’s cost as set out in Section 6 para. 3. Controller shall notify Processor without undue delay, and comprehensively, of any defect or irregularity with regard to provisions on data protection detected by Controller in the results of Processor’s work.
Appears in 4 contracts
Samples: Software Subscription Agreement, Software Subscription Agreement, Software Subscription Agreement
Processor’s Obligations. Except where expressly permitted by Article 28 (3)(a) GDPR, Processor shall process data subjects’ Data only within the scope of the Agreement and the instructions issued by Controller. Where Processor believes that an instruction would be in breach of applicable law, Processor shall notify Controller of such belief without undue delay. Processor shall be entitled to suspend performance on such instruction until Controller confirms or modifies such instruction. Processor shall, within Processor’s scope of responsibility, organize Processor’s internal organization so it satisfies the specific requirements of data protection. Processor shall implement technical and organizational measures to ensure the adequate protection of Controller’s Data, which measures shall fulfil the requirements of the GDPR and specifically its Article 32. Processor shall implement technical and organizational measures and safeguards that ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services and shall implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. Controller is familiar with these technical and organizational measures, and it shall be Controller’s responsibility that such measures ensure a level of security appropriate to the risk. The parties agree to refer to the existing certification of Processor by Kiwa International Cert GmbH in accordance with DIN ISO/IEC 27001:2015 which is considered sufficient evidence for these purposes by Controller and which is available on the website of Processor (xxx.xxxxxxx.xxx). Processor reserves the right to modify the measures and safeguards implemented, provided, however, that that the level of security shall not be less protective than initially agreed upon. Processor shall support Controller, insofar as is agreed upon by the parties, and where possible for Processor, in fulfilling data subjects’ requests and claims, as detailed in chapter III of the GDPR and in fulfilling the obligations enumerated in Articles 33 to 36 GDPR. Processor shall ensure that all employees involved in Contract Processing of Controller’s Data and other such persons as may be involved in Contract Processing within Processor’s scope of responsibility shall only do so within the scope of the instructions. Furthermore, Processor shall ensure that any person entitled to process Data on behalf of Controller has undertaken a commitment to confidentiality under terms similar to the confidentiality terms of the Agreement. All such confidentiality obligations shall survive the termination or expiration of such Contract Processing. Processor shall notify Controller without undue delay if Processor becomes aware of any Data breaches within Processor’s scope of responsibility. Processor shall implement the measures necessary for securing Data and for mitigating potential negative consequences for the data subject; the Processor shall coordinate such efforts with Controller without undue delay. Processor shall notify to Controller the point of contact for any issues related to data protection arising out of or in connection with the Agreement. The Exhibit provides for a list of the initially designated persons. Processor shall correct or erase Data if so instructed by Controller and where covered by the scope of the instructions permissible. Where an erasure, consistent with data protection requirements, or a corresponding restriction of processing is impossible, Processor shall, based on Controller’s instructions, and unless agreed upon differently in the Agreement, destroy, in compliance with data protection requirements, all carrier media and other material or return the same to Controller. In specific cases designated by Controller, such Data shall be stored or handed over. The associated cost for doing so and protective measures to put in place shall be agreed upon separately, unless already agreed upon in the Agreement. Processor shall, upon termination of Contract Processing and upon Controller’s instruction, return all Data, carrier media and other materials to Controller or delete the same. Where a data subject asserts any claims against Controller in accordance with Article 82 of the GDPR, Processor shall support Controller in defending against such claims, where possible at Controller’s cost as set out in Section 6 para. 3. Controller shall notify Processor without undue delay, and comprehensively, of any defect or irregularity with regard to provisions on data protection detected by Controller in the results of Processor’s work.
Appears in 3 contracts
Samples: Software as a Service Agreement, Software as a Service Agreement, Software as a Service Agreement
Processor’s Obligations. 1. For the performance of the obligations in relation to this Data Processing Agreement, the Processor shall only appoint such employees who were informed about all relevant data privacy obligations and instructed to comply with data secrecy pursuant to the Swiss Data Protection Act and EU General Data Protection Regulation prior to performing their duties. The employees shall be sufficiently trained in order to be able to comply with their data protection and commercial contractual obligations. The Processor shall ensure an adequate level of training by implementing suitable controls. The Processor shall use additional means such as background checks of respective employees, where deem as an appropriate mitigating measure to any operational risk imposed on the Company.
2. Except where expressly permitted by Article Art. 28 (3)(a) of the GDPR, Processor shall process data subjects’ Data only within the scope of the Agreement statement of work and the instructions issued by ControllerCompany within the Agreement or this DPA. Where Processor believes that an instruction would be in breach of applicable law, Processor shall notify Controller Company of such belief without undue delay. Processor shall be entitled to suspend suspending performance on such instruction until Controller Company confirms or modifies such instruction.
3. Processor shall, within Processor’s scope of responsibility, organize organise Processor’s 's internal organization organisation so it satisfies the specific requirements of data protection. Processor shall implement technical and organizational organisational measures to ensure the adequate protection of ControllerCompany’s Data, which measures shall fulfil the requirements of the GDPR and specifically its Article Art. 32. Processor shall implement technical and organizational organisational measures and safeguards that ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services and shall implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. Controller is familiar with these technical and organizational measures, and it shall be Controller’s responsibility that such measures ensure a level of security appropriate to the risk. The parties agree to refer to the existing certification of Processor by Kiwa International Cert GmbH in accordance with DIN ISO/IEC 27001:2015 which is considered sufficient evidence for these purposes by Controller and which is available on the website of Processor (xxx.xxxxxxx.xxx)services.
4. Processor reserves the right to modify the measures and safeguards implemented, provided, however, that that the level of security shall not be less protective than initially agreed upon.
5. Processor shall support ControllerCompany, insofar as is agreed upon by the parties, and where possible for Processor, in fulfilling data subjects’ requests and claims, as detailed in chapter III of the GDPR and in fulfilling the obligations enumerated in Articles Art.s 33 to 36 of the GDPR.
6. Processor shall ensure warrants that all employees involved in Contract Processing of ControllerCompany’s Data and other such persons as may be involved in Contract Processing within Processor’s scope of responsibility shall only do so within be prohibited from processing Data outside the scope of the instructions. Furthermore, Processor shall ensure warrants that any person entitled to process Data on behalf of Controller has undertaken a commitment to confidentiality under terms similar secrecy or is subject to the confidentiality terms of the Agreementan appropriate statutory obligation to secrecy. All such confidentiality secrecy obligations shall survive the termination or expiration of such Contract Processing.
7. Processor shall notify Controller Company, without undue delay delay, if Processor becomes aware of any Data breaches of the protection of personal data within Processor’s scope of responsibility.
8. Processor shall implement the measures necessary for securing Data and for mitigating potential negative consequences for the data subject; the Processor shall coordinate such efforts with Controller Company without undue delay.
9. Processor shall notify to Controller the Company point of contact (Annex 1) for any issues related to data protection arising out of or in connection with the Agreement.
10. The Exhibit provides for a list Processor warrants that Processor fulfills its obligations under Art. 32(1)(d) of the initially designated personsGDPR to implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
11. Processor shall correct or erase Data if so instructed by Controller Company and where covered by the scope of the instructions permissible. Where an erasure, consistent with data protection requirements, or a corresponding restriction of processing is impossible, Processor shall, based on ControllerCompany’s instructions, and unless agreed upon differently in the Agreement, destroy, in compliance with data protection requirements, all carrier media and other material or return the same to Controller. In specific cases designated by Controller, such Data shall be stored or handed over. The associated cost for doing so and protective measures to put in place shall be agreed upon separately, unless already agreed upon in the Agreementmaterial.
12. Processor shall, unless requested otherwise in writing at the time of termination by Company, upon termination of Contract Processing act in accordance to the Term and upon Termination Clause of the Agreement.
13. Company shall bear any extra cost caused by deviating requirements in returning or deleting data.
14. The Processor shall maintain a record of all categories of processing activities carried out on behalf of the Controller’s instruction. The record shall include the following: ● The name and contact information of the specific Processor, return all any sub-processor of the Commercial Contract (Beekeeper Software as a Service Subscription Agreement), the Company, the Data Protection Officer and, where relevant, the representative of the Processor. ● The categories of processing carried out by the Processor or any sub-processor on behalf of the Company. ● General description of the technical and organizational security measures undertaken by the Processor to safeguard the Company Data, carrier media cf. Art. 32(1) in the General Data Protection Regulation.
15. The list shall be in writing, including in electronic format. At the request of the Company, the Processor shall at any time make the list available to the Company.
16. When the processing of Company Data at the Processor takes place in home offices, in whole or in part, the Processor shall lay down guidelines for the personnel's processing of Company Data in home offices. The guidelines shall be submitted to the Company upon request.
17. The Processor shall participate in discussions, if any, with the Company and/or the Data Protection Agency and other materials in good faith consider any recommendations and/or improvement notices, etc., from the Company and/or Data Protection Agency regarding the processing of Company Data.
18. The Processor shall promptly inform the Company if the Data Protection Agency contacts the Processor regarding the support or services covered by the DPA.
19. The Processor furthermore undertakes to Controller or delete promptly notify the sameCompany of: ● Any request by a public authority for transfer of Company Data covered by the Commercial Contract, unless the notification of the Company is explicitly prohibited by law, e.g. pursuant to rules designed to ensure the non-disclosure of investigations performed by a law-enforcement authority. Where a ● Any request for access received directly from the data subject asserts any claims against Controller in accordance with Article 82 of the GDPR, Processor shall support Controller in defending against such claims, where possible at Controller’s cost as set out in Section 6 para. 3. Controller shall notify Processor without undue delay, and comprehensively, of any defect or irregularity with regard to provisions on data protection detected by Controller in the results of Processor’s workfrom another party.
Appears in 1 contract
Samples: Data Processing Agreement
Processor’s Obligations. 1. Except where expressly permitted by Article 28 (3)(a) of the GDPR, Processor shall process data subjects’ Data only within the scope of the Agreement statement of work and the instructions issued by Controller. Where Processor believes that an instruction would be in breach of applicable law, Processor shall notify Controller of such belief without undue delay. Processor shall be entitled to suspend suspending performance on such instruction until Controller confirms or modifies such instruction.
2. Processor shall, within Processor’s scope of responsibility, organize Processor’s organise its internal organization organisation so it satisfies the specific requirements of data protection. Processor shall implement technical and organizational organisational measures to ensure the adequate protection of Controller’s Data, which measures shall fulfil the requirements of the GDPR and specifically its Article 32. Processor shall implement technical and organizational organisational measures and safeguards that ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services and shall implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processingservices. Controller is familiar with these technical and organizational organisational measures, and it shall be Controller’s responsibility that such measures ensure a level of security appropriate to the risk. The parties agree to refer to the existing certification of Processor by Kiwa International Cert GmbH in accordance with DIN ISO/IEC 27001:2015 which is considered sufficient evidence for these purposes by Controller and which is available on the website of Processor (xxx.xxxxxxx.xxx). Appendix 1) Processor reserves the right to modify the measures and safeguards implemented, provided, however, that that the level of security shall not be less protective than initially agreed upon.
3. Processor shall support Controller, insofar as is far as agreed upon by the parties, and where technical possible for Processor, in fulfilling data subjects’ requests and claims, as detailed in chapter III of the GDPR and in fulfilling the obligations enumerated in Articles 33 to 36 of the GDPR.
4. Processor shall ensure warrants that all employees involved in Contract Processing of Controller’s Data and other such persons as may be involved in Contract Processing within Processor’s scope of responsibility shall only do so within be prohibited from processing Data outside the scope of the instructions. Furthermore, Processor shall ensure warrants that any person entitled to process Data on behalf of Controller has undertaken a commitment to confidentiality under terms similar secrecy or is subject to the confidentiality terms of the Agreementan appropriate statutory obligation to secrecy. All such confidentiality secrecy obligations shall survive the termination or expiration of such Contract Processing.
5. Processor shall notify Controller Controller, without undue delay delay, if Processor becomes aware of any Data breaches of the protection of personal data within Processor’s scope of responsibility. Processor shall implement the measures necessary for securing Data and for mitigating potential negative consequences for the data subject; the Processor shall coordinate such efforts with Controller without undue delay.
6. Processor shall notify to Controller the point of contact for any issues related to data protection arising out of or in connection with the Agreement.
7. The Exhibit provides for a list Processor warrants that Processor fulfils its obligations under Article 32 (1)(d) of the initially designated personsGDPR to implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
8. Processor shall correct or erase completely delete Data if so instructed by Controller and where covered by the scope of the instructions permissible. Where an erasurea complete correction or deletion, consistent compliant with data protection requirements, or a corresponding restriction of processing is impossible, Processor shall, based on Controller’s instructions, and unless agreed upon differently in the Agreement, destroy, in compliance with data protection requirements, all carrier media and other material or return the same to Controller. In specific cases designated by Controller, such Data shall be stored or handed over. The associated cost for doing so remuneration and protective measures to put in place shall be agreed upon separately, unless already agreed upon in the Agreement.
9. Processor shall, upon termination of Contract Processing and upon Controller’s instruction, return all Data, carrier media and other materials to Controller or delete the same. Controller shall bear any extra cost caused by deviating requirements in returning or deleting data.
10. Where a data subject asserts any claims against Controller in accordance with Article 82 of the GDPR, Processor shall support Controller in defending against such claims, where possible at Controller’s cost as set out in Section 6 para. 3. Controller shall notify Processor without undue delay, and comprehensively, of any defect or irregularity with regard to provisions on data protection detected by Controller in the results of Processor’s workpossible.
Appears in 1 contract
Samples: Data Processing Agreement