Common use of Protection of Information Clause in Contracts

Protection of Information. The provisions of this Clause CO-3, shall apply during the Call-Off Agreement Period and for such time as the Supplier holds the Customer Personal Data. The Supplier shall and shall procure that Supplier’s Staff comply with any notification requirements under the DPA and both Parties undertake to duly observe all their obligations under the DPA which arise in connection with the Call-Off Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings). The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).

Protection of Information. The provisions of this Clause CO-3, shall apply during the Call-Off Agreement Period Term and for such time as the Supplier holds the Customer Personal Data. The Supplier shall (and shall procure that Supplier’s Staff Staff) comply with any notification requirements under the DPA and both Parties undertake to will duly observe all their obligations under the DPA which arise in connection with the Call-Off Framework Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected appointed by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is supplier but acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings)) can be used to undertake the activities in Clause CO-3.5.1 where the restrictions in Clause CO-3.6 allow. The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processingprocessing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer Authority or Contracting Body concerned and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).

Protection of Information. The provisions of this Clause CO-3Error: Reference source not found, shall apply during the Call-Off Agreement Period Term and for such time as the Supplier holds the Customer Personal Data. The Supplier shall (and shall procure that Supplier’s Staff Staff) comply with any notification requirements under the DPA and both Parties undertake to will duly observe all their obligations under the DPA which arise in connection with the Call-Off Framework Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected appointed by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is supplier but acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings)) can be used to undertake the activities in Clause CO-3.5.1 where the restrictions in Clause CO-3.6 allow. The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processingprocessing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer Authority or Contracting Body concerned and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).

Protection of Information. The provisions of this Clause CO-3Error: Reference source not found, shall apply during the Call-Off Agreement Period Term and for such time as the Supplier holds the Customer Personal Data. The Supplier shall (and shall procure that Supplier’s Staff Staff) comply with any notification requirements under the DPA and both Parties undertake to will duly observe all their obligations under the DPA which arise in connection with the Call-Off Framework Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings). The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).and/or

Protection of Information. The provisions of this Clause CO-3., shall apply during the Call-Off Agreement Period Term and for such time as the Supplier holds the Customer Personal Data. The Supplier shall (and shall procure that Supplier’s Staff Staff) comply with any notification requirements under the DPA and both Parties undertake to will duly observe all their obligations under the DPA which arise in connection with the Call-Off Framework Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected appointed by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is supplier but acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings)) can be used to undertake the activities in Clause CO-3.5.1 where the restrictions in Clause CO-3.86 allow. The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processingprocessing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer Authority or Contracting Body concerned and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).

Protection of Information. The provisions of this Clause CO-3FW-3, shall apply during the Call-Off Agreement Period Term and for such time as the Supplier holds the Customer Personal Data. The Supplier shall (and shall procure that Supplier’s Staff Staff) comply with any notification requirements under the DPA and both Parties undertake to will duly observe all their obligations under the DPA which arise in connection with the Call-Off Framework Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected appointed by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is supplier but acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings)) can be used to undertake the activities in Clause CO-3.5.1 where the restrictions in Clause CO-3.6 allow. The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processingprocessing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer Authority or Contracting Body concerned and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).

Protection of Information. The provisions of this Clause CO-3, shall apply during the Call-Off Agreement Period Term and for such time as the Supplier holds the Customer Personal Data. The Supplier shall (and shall procure that Supplier’s Staff Staff) comply with any notification requirements under the DPA and both Parties undertake to will duly observe all their obligations under the DPA which arise in connection with the Call-Off Framework Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected appointed by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is supplier but acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings)) can be used to undertake the activities in Clause CO-3.5.1 where the restrictions in Clause CO 3.6 allow. The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processingprocessing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer Authority or Contracting Body concerned and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).

Protection of Information. The provisions of this Clause CO-3FW-1.5, shall apply during the Call-Off Agreement Period Term and for such time as the Supplier holds the Customer Personal Data. The Supplier shall (and shall procure that Supplier’s Staff Staff) comply with any notification requirements under the DPA and both Parties undertake to will duly observe all their obligations under the DPA which arise in connection with the Call-Off Framework Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings). The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).and/or

Protection of Information. The provisions Data Protection Act8 For the purposes of this Clause CO-35.1, shall apply during the Call-Off Agreement Period and for such time as the Supplier holds the Customer terms "Data Controller", "Data Processor", “Data Subject”, "Personal Data", "Process" and "Processing" shall have the meanings prescribed under the DPA. The Supplier Service Provider shall (and shall procure that Supplier’s Staff all of its Staff) comply with any notification requirements under the DPA and both Parties undertake to will duly observe all of their obligations under the DPA which arise in connection with the Call-Off AgreementContract. To Notwithstanding the extent that general obligation in Clause 5.1.2, where the Supplier Service Provider is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal as a Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide Processor for the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier Provider shall: Process Service the Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreementthe Contract; comply with all applicable laws; Process the Service Personal Data only to the extent, and in such manner, manner as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory BodyService Provider's obligations under the Framework Agreement; implement appropriate technical and organisational measures to protect Service the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result arise from any unauthorised or unlawful Processingprocessing, accidental loss, destruction or damage to Service the Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff its employees and agents who may have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; use all reasonable endeavours to ensure that none such persons have sufficient skills and training in the handling of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings). The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit the Personal Data to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer European Economic Area without the prior written consent of the Customer. Where ; not disclose the Personal Data to any third parties in any circumstances other than with the written consent of the Customer consents to such Processing, storing, accessing or transfer outside in compliance with a legal obligation imposed upon the European Economic Area the Supplier shall: comply Customer; and co-operate with the obligations of a Data Controller under Customer to enable the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection Customer to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by request under Section 7 of the DPA. notify the Customer and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that within [five] Working Days if it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).receives:

Protection of Information. The provisions of this Clause CO-3., shall apply during the Call-Off Agreement Period Term and for such time as the Supplier holds the Customer Personal Data. The Supplier shall (and shall procure that Supplier’s Staff Staff) comply with any notification requirements under the DPA and both Parties undertake to will duly observe all their obligations under the DPA which arise in connection with the Call-Off this Framework Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected appointed by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is supplier but acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings)) can be used to undertake the activities in Clause CO-3.5.1 where the restrictions in Clause CO-3.8 allow. The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processingprocessing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer Authority or Contracting Body concerned and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).

Protection of Information. The provisions of this Clause CO-3FW-3, shall apply during the Call-Off Agreement Period Term and for such time as the Supplier holds the Customer Personal Data. The Supplier shall (and shall procure that Supplier’s Staff Staff) comply with any notification requirements under the DPA and both Parties undertake to will duly observe all their obligations under the DPA which arise in connection with the Call-Off Framework Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data Data) and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected appointed by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is supplier but acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings)) can be used to undertake the activities in Clause CO-3.5.1 where the restrictions in Clause CO-3.6 allow. The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processingprocessing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer Authority or Contracting Body concerned and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).

Protection of Information. The provisions of this Clause CO-3CO-7, shall apply during the Call-Off Agreement Period Term and for such time as the Supplier holds the Customer Personal Data. The Supplier shall (and shall procure that Supplier’s Staff Staff) comply with any notification requirements under the DPA and both Parties undertake to will duly observe all their obligations under the DPA which arise in connection with the Call-Off Framework Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected appointed by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is supplier but acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings). The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).confidentiality

Protection of Information. The provisions of this Clause CO-3, shall apply during the Call-Off Agreement Period and for such time as the Supplier holds the Customer Personal Data. The Supplier shall and shall procure that Supplier’s Staff comply with any notification requirements under the DPA and both Parties undertake to duly observe all their obligations under the DPA which arise in connection with the Call-Off Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings). The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processedprocessed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).

Protection of Information. The provisions of this Clause CO-3Error! Reference source not found., shall apply during the Call-Off Agreement Period Term and for such time as the Supplier holds the Customer Personal Data. The Supplier shall (and shall procure that Supplier’s Staff Staff) comply with any notification requirements under the DPA and both Parties undertake to will duly observe all their obligations under the DPA which arise in connection with the Call-Off Framework Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected appointed by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is supplier but acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings)) can be used to undertake the activities in Clause CO-3.5.1 where the restrictions in Clause CO-3.6 allow. The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processingprocessing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer Authority or Contracting Body concerned and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).

Protection of Information. The provisions of this Clause CO-3, shall apply during the Call-Off Agreement Period Term and for such time as the Supplier holds the Customer Personal Data. The Supplier shall (and shall procure that Supplier’s Staff Staff) comply with any notification requirements under the DPA and both Parties undertake to will duly observe all their obligations under the DPA which arise in connection with the Call-Off Framework Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings). The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).and/or

Protection of Information. The provisions E1 Data Protection E1.1 For the purposes of this Clause CO-3E1: Data Protection Legislation​: (i) the GDPR, shall apply during the Call-Off Agreement Period LED and for such any applicable national implementing Laws as amended from time as to time (ii) the Supplier holds DPA 2018 [subject to Royal Assent] to the Customer extent that it relates to processing of personal data and privacy; (iiii) all applicable Law about the processing of personal data and privacy; Data Protection Impact Assessment​: an assessment by the Controller of the impact of the envisaged processing on the protection of Personal Data. Controller​, Processor​, Data Subject​, Personal Data​, Personal Data Breach​, Data Protection Officer​ take the meaning given in the GDPR. Data Loss Event​: any event that results, or may result, in unauthorised access to Personal Data held by the Supplier under this Agreement, and/or actual or potential loss and/or destruction of Personal Data in breach of this Agreement, including any Personal Data Breach. Data Subject Access Request​: a request made by, or on behalf of, a Data Subject in accordance with rights granted pursuant to the Data Protection Legislation to access their Personal Data. DPA 2018​: Data Protection Act 2018 GDPR​: the General Data Protection Regulation (Regulation (EU) 2016/679) LED​: Law Enforcement Directive (Directive (EU) 2016/680) Protective Measures​: appropriate technical and organisational measures which may include: pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the such measures adopted by it. Sub-processor​: any third Party appointed to process Personal Data on behalf of the Supplier related to this Agreement E1.2 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier shall and shall procure that Supplier’s Staff comply with any notification requirements under is the DPA and both Parties undertake to duly observe all their obligations under the DPA which arise in connection with the Call-Off AgreementProcessor. To the extent The only processing that the Supplier is Processing authorised to do is listed in Schedule 7 by the Order Customer and may not be determined by the Supplier. E1.3 The Supplier shall notify the Customer immediately if it considers that any of the Customer's instructions infringe the Data Protection Legislation. E1.4 The Supplier shall provide all reasonable assistance to the Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Customer, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. E1.5 The Supplier shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: process that Personal Data only in accordance with Schedule 7, unless the Supplier shall: is required to do otherwise by Law. If it is so required the Supplier shall promptly notify the Customer before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which have been reviewed and approved by the Customer as appropriate technical and organisational measures to ensure the security protect against a Data Loss Event having taken account of the: (i) nature of the Order data to be protected; (ii) harm that might result from a Data Loss Event; (iii) state of technological development; and (iv) cost of implementing any measures; ensure that : (i) the Supplier Personnel do not process Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only except in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, Agreement (and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take particular Schedule 7); (ii) it takes all reasonable steps to ensure the reliability and integrity of any Supplier Staff Personnel who have access to Service the Personal Data; Data and ensure that all they: (A) are aware of and comply with the Supplier’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Supplier Staff required to access Service Personal Data or any Sub-processor; (C) are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff do not publish, disclose or divulge Customer’s any of the Personal Data to any third party Party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the CustomerCustomer or as otherwise permitted by this Agreement; notify and (D) have undergone adequate training in the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service use, care, protection and handling of Personal Data; and not transfer Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details outside of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (EU unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings). The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where Customer has been obtained and the following conditions are fulfilled: (i) the Customer consents to such Processing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Customer; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Supplier complies with its obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so processedbound, stored, accessed or transferreduses its best endeavours to assist the Customer in meeting its obligations); comply and (iv) the Supplier complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; at the written direction of the Customer, delete or return Personal Data (and either: incorporate standard and/or model clauses (which are approved by any copies of it) to the European Commission as offering adequate safeguards under Customer on termination of the Data Protection Legislation) or warrant that that the obligations set out in Agreement unless the Supplier Terms provide Adequate protection for is required by Law to retain the Personal Data. The . E1.6 Subject to clause E1.7, the Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause notify the Customer immediately if it: receives a Data Subject Access Request (or purported Data Subject Access Request); receives a request to breach rectify, block or erase any of its applicable Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation. The Supplier acknowledges that, ; receives any communication from the Information Commissioner or any other regulatory authority in the event that it breaches (or attempts or threatens to breach) its obligations relating to connection with Personal Data that the Customer may processed under this Agreement; receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).required by Law; or

Protection of Information. The provisions of this Clause CO-3, shall apply during the Call-Off Agreement Period Term and for such time as the Supplier holds the Customer Personal Data. The Supplier shall (and shall procure that Supplier’s Staff Staff) comply with any notification requirements under the DPA and both Parties undertake to shall duly observe all their obligations under the DPA which arise in connection with the Call-Off Framework Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected appointed by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is supplier but acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings)) can be used to undertake the activities in Clause CO-3.5.1 where the restrictions in Clause CO-3.86 allow. The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processingprocessing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer Authority or Contracting Body concerned and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).

Protection of Information. The provisions 43.1 For the purposes of this Clause CO-3Clause, shall apply during the Call-Off Agreement Period and for such time as the Supplier holds the Customer terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data. ”, “Process” and “Processing shall have the meaning prescribed under the DPA. 43.2 The Supplier Contractor shall (and shall procure ensure that Supplier’s Staff all of its Staff) comply with any notification Notification requirements under the DPA and both Parties undertake to will duly observe all their obligations under the DPA which arise in connection with the Call-Off Agreement. To Contract. 43.3 Notwithstanding the extent that general obligation in clause 43.2 where the Supplier Contractor is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order processing Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under defined by the DPA; promptly notify ) as a Data Processor for the Customer of any breach of Authority the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places Contractor shall: (a) Process the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Personnel Data only in accordance with written instructions from the Customer Authority (which maybe specific instructions or instructions of a general nature) as set out in this Call-Off AgreementContract or as otherwise notified by the Contracting Authority; comply with all applicable laws; Process the Service Personal Data only to the extent, ; and in such manner, manner as is necessary for the provision of the G-Cloud Services Provider’s obligations under this Contract or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service the Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff its staff and agents who may have access to Service the Personal Data; obtain prior written consent from the Contracting Authority in order to transfer the Personal Data to any sub-contractor for the provision of the Services; not cause or permit the Personal Data to be transferred outside of the European Economic Area without the prior consent of the Authority; ensure that all Supplier Staff staff and agents required to access Service the Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clauseclause ; ensure that none of the Supplier Staff publish, staff and agents publish disclose or divulge Customer’s any of the Personal Data to any third party parties unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the CustomerAuthority not disclose Personnel Data to any third parties in any circumstances other than with the written consent of the Authority or in compliance with a legal obligation imposed upon the Authority; and 43.4 notify the Customer Authority (within five (5[five] Working Days) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person’s Personal Data; or a complaint or request relating to the CustomerAuthority’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. DPA; 43.5 The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings). The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of this Clause shall apply during the G-Cloud Services; not cause or permit to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer Contract Period and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform indefinitely after its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach)expiry.