Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 75 contracts
Samples: Master Agreement, Master Agreement, Master Agreement
Protection of Personal Data. 25.1 19.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 19.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 19.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 251918.1, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 19 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 19.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 19.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 19.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 21 contracts
Samples: Master Agreement, Master Agreement, Master Agreement
Protection of Personal Data. 25.1 26.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 26.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 26.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2526, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 26 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 26.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 26.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 26.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 20 contracts
Samples: Master Agreement, Master Agreement, Master Agreement
Protection of Personal Data. 25.1 19.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 19.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 19.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2518.118.1, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 18.1 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 19.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 19.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 19.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 19 contracts
Samples: Master Agreement, Master Agreement, Master Agreement
Protection of Personal Data. 25.1 24.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 24.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 24.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2524, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 24 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 24.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 24.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 24.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 16 contracts
Samples: Master Agreement, Master Agreement, Master Agreement
Protection of Personal Data. 25.1 29.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 29.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 29.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2529, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 29 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 29.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 29.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 29.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 11 contracts
Samples: Master Agreement, Master Agreement, Master Agreement
Protection of Personal Data. 25.1 18.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 18.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 18.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2517.117.1, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 17.1 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 18.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 18.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 18.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 11 contracts
Samples: Master Agreement, Master Agreement, Master Agreement
Protection of Personal Data. 25.1 18.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 18.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 18.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 251817.1, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 18 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 18.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 18.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 18.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 6 contracts
Samples: Master Agreement, Master Agreement, Master Agreement
Protection of Personal Data. 25.1 28.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 28.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 28.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2528, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 28 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 28.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 28.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 28.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 6 contracts
Samples: Master Agreement, Master Agreement, Master Agreement
Protection of Personal Data. 25.1 17.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 17.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 17.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2516.116.1, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 16.1 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 17.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 17.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 17.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 6 contracts
Samples: Master Agreement, Master Agreement, Master Agreement
Protection of Personal Data. 25.1 22.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 22.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 22.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2522, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 22 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 22.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 22.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 22.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 5 contracts
Samples: Master Agreement, Master Agreement, Master Agreement
Protection of Personal Data. 25.1 31.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 31.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 31.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2531, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 31 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 31.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 31.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 31.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 4 contracts
Samples: Master Agreement, Master Agreement, Master Agreement
Protection of Personal Data. 25.1 27.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 27.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 27.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2527, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 27 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 27.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 27.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 27.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 3 contracts
Samples: Master Agreement, Master Agreement, Master Agreement
Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for Where any Personal Data are Processed in connection with the duration exercise of the Agreement for the fulfilment of the Parties’ rights and obligations contained herein. In performing the obligations as set out in under this Framework Agreement, the Parties shall acknowledge that the Authority is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Authority to perform its obligations under this Framework Agreement; ensure that at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures has in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and/or accidental loss, destruction destruction, or damage, alteration, disclosure or access.
25.2 The Parties agree that if personal data will be processed for additional purposes beyond damage to the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to Personal Data; not disclose or otherwise make available transfer the personal data Personal Data to any third party (including sub-contractors and employees)or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, it may do so only with for any disclosure or transfer of Personal Data to any third party, obtain the prior written permission consent of the Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 26.5.2 and Clause 26.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Authority within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other Partyrequest, complaint or communication relating to the Authority's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Authority with full cooperation and assistance (within the timescales reasonably required by the Authority) in relation to any complaint, communication or request made (as referred to at Clause 26.5.2(e), including by promptly providing: the Authority with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Authority to enable the Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Authority, on request by the Authority, with any Personal Data it holds in relation to a Data Subject; and if requested by the Authority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 26.5.2 and provide to the Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Party requiring such permission Supplier shall require of all such third parties, appropriate written undertakings not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be providedadequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, containing similar terms after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to that Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Authority which, if it is agreed by the Authority, shall be dealt with in accordance with Clause 18.1 (Variation Procedure) and Clauses 26.5.3(b) to 26.5.3(d); the Supplier shall set forth out in this clause 25its proposal to the Authority for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and dealing with that any Sub-Contractors or other third party's obligations parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of its processing of the personal data. Following approval by Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the other PartyAuthority’s compliance with the DPA; in providing and evaluating the Variation, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that they have regard to and comply with the Authority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirementapprovals processes in connection with, the Parties Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall keep all personal data comply with such other instructions and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments such other actions as the Authority may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Authority on such terms as may be required by the Authority; or a data processing agreement with the Supplier on terms which are equivalent to identify all reasonably foreseeable internal those agreed between the Authority and external risks the Supplier relating to the personal data relevant Personal Data transfer, and the Supplier acknowledges that in its possession or each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under its controlthe DPA) and technical and organisation measures which the Authority deems necessary for the purpose of protecting Personal Data. The Parties Supplier shall implement and maintain appropriate safeguards against use its reasonable endeavours to assist the risks which it identifies Authority to comply with any obligations under the DPA and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to not perform its obligations under this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Framework Agreement in such a manner way as to cause the Authority to breach any of the Authority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that it cannot the same would be reconstructed to its original form, linking it to any particular individual or organisationa breach of such obligations.
Appears in 3 contracts
Samples: Vehicle Lease and Fleet Management Framework Agreement, Vehicle Lease and Fleet Management Framework Agreement, Postal Goods and Services Framework Agreement
Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for Where any Personal Data are Processed in connection with the duration exercise of the Agreement for the fulfilment of the Parties’ rights and obligations contained herein. In performing the obligations as set out in under this AgreementCall Off Contract, the Parties shall acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures has in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and/or accidental loss, destruction destruction, or damagedamage to the Personal Data, alteration, disclosure or access.
25.2 The Parties agree that if personal data will be processed for additional purposes beyond including the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to measures as are set out in Clauses 36.1 (Security Requirements) and 36.2 (Protection of Customer Data); not disclose or otherwise make available transfer the personal data Personal Data to any third party (including sub-contractors and employees)or Supplier Personnel unless necessary for the provision of the Services and, it may do so only with for any disclosure or transfer of Personal Data to any third party, obtain the prior written permission consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 36.6.2 and Clauses 36.1 (Security Requirements), 36.2 (Protection of Customer Data) and 36.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other Party. The Party requiring request, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such permission shall require of all such third parties, appropriate written undertakings request is required or purported to be provided, containing similar terms to that set forth in this clause 25, required by Law; provide the Customer with full cooperation and dealing with that third party's obligations in respect of its processing of assistance (within the personal data. Following approval timescales reasonably required by the other Party, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third partiesCustomer) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to any complaint, communication or request made (as referred to at Clause 36.6.2(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this AgreementClause 36.6.2 and provide to the Customer copies of all documentation relevant to such compliance including, subject protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any legal retention requirements. This may be at country outside the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal dataEuropean Economic Area. The information will be destroyed Supplier shall use its reasonable endeavours to assist the Customer to comply with any obligations under the DPA and shall not perform its obligations under this Call Off Contract in such a manner way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that it cannot the same would be reconstructed to its original form, linking it to any particular individual or organisationa breach of such obligations.
Appears in 3 contracts
Samples: Call Off Contract, Call Off Contract, Call Off Contract
Protection of Personal Data. 25.1 The Parties agree acknowledge that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtainedof the Data Protection Legislation, all data will be destroyed the factual activity carried out by each of them in relation to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ their respective obligations under this Agreement;
dPanel Agreement dictates the classification of each party and shall be stated in Schedule 25. In certain circumstances, a Party may act as “Joint Controller” or a “Controller” or a “Processor”. Each Party, where it is a Controller, shall be responsible for its own compliance with all its obligations under the Data Protection Legislation. Where a Party acts as a Processor in relation to Personal Data where the other Party is Controller, the first Party shall comply and shall procure that any sub-processor complies with the Processor’s obligations in this Panel Agreement to the extent applicable. The only processing that the Processor is authorised to do is listed in Schedule 25 (Processing Personal Data) they do by the Controller and may not disclose personal data be determined by the Service Provider. The Processor shall notify the Controller immediately if it considers that any of the other Party, other than in terms of this Agreement;
e) they have Controller's instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable technical and organisational measures assistance to the Controller in place the preparation of any Data Protection Impact Assessment prior to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard commencing any processing. Such assistance may, at the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission discretion of the other Party. The Party requiring such permission shall require of all such third partiesController, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing include: a systematic description of the personal data. Following approval by envisaged processing operations and the other Party, purpose of the Party requiring permission agrees that processing; an assessment of the provisions necessity and proportionality of this clause 25 shall mutatis mutandis apply the processing operations in relation to all authorised third parties who process personal data.
25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity Services; an assessment of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its controlrights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Parties Processor shall, in relation to any Personal Data processed in connection with its obligations under this Panel Agreement: process that Personal Data only in accordance with Schedule 25 (Processing Personal Data), unless the Processor is required to do otherwise by the requirements of the Panel Agreement or Law. If it is so required the Processor shall implement and maintain appropriate safeguards against promptly notify the risks which it identifies and shall also regularly verify Controller before processing the Personal Data unless prohibited by Law; ensure that the safeguards which it has in place Protective Measures which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except in accordance with this Panel Agreement (and in particular Schedule 25 (Processing Personal Data)); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: are aware of and comply with the Processor’s duties under this Clause; are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Panel Agreement; and have undergone adequate training in the use, care, protection and handling of Personal Data; not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been effectively implemented.
25.6 The Parties agree that they will promptly return obtained and the following conditions are fulfilled: the Controller or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected Processor has provided appropriate safeguards in relation to this Agreement, subject the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; the Data Subject has enforceable rights and effective legal remedies; the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any legal retention requirements. This may be Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; at the request written direction of the other Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Panel Agreement unless the a Party and includes circumstances where a person has requested is required by Law to retain the Parties Personal Data. Subject to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original formClause 27.5.7, linking it to any particular individual or organisation.the Processor shall notify the Controller immediately if it:
Appears in 3 contracts
Samples: Panel Agreement, Panel Agreement, Panel Agreement
Protection of Personal Data. 25.1 17.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 17.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 17.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2516, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 16.1 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 17.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 17.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 17.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 3 contracts
Samples: Master Agreement, Master Agreement, Master Agreement
Protection of Personal Data. 25.1 23.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 23.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 23.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2523, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 23 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 23.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 23.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 23.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 3 contracts
Samples: Master Agreement, Master Agreement, Master Agreement
Protection of Personal Data. 25.1 The Parties parties agree that they may obtain as at the Signature Date, the provisions of Clause 29 in their entirety do not apply to this agreement on the basis that the Contractor will not receive or process any Personal Data as a Data Processor for in the performance of its Services.
29.1 To the extent that personal date is processed and have access with respect to personal data for the duration of the Agreement for the fulfilment of the parties' rights and obligations contained herein. In performing under this Agreement, the obligations parties agree that the DCC is either the Data Controller or the Data Processor and that the Contractor is the Data Processor.
29.2 To the extent that the Contractor processes Personal Data as the Data Processor for DCC, the Contractor shall:
29.2.1 Process the Personal Data only in accordance with instructions from the DCC as to the manner and purpose of the processing of this Personal Data (which may be specific instructions or instructions of a general nature as set out in this Agreement, Agreement or as otherwise notified by the Parties shall at all times ensure that:
a) they process data only for DCC to the express purpose for Contractor during the Service Period). Any such instructions which it was obtained;
b) once processed for are inconsistent with the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective parties' rights and obligations under this AgreementAgreement shall be dealt with in accordance with the Change Control Procedure;
d) they do not disclose personal data 29.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the other Party, other than in terms of this AgreementServices or as is required by Law;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have 29.2.3 implement appropriate technical and organisational measures in place to safeguard protect the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected Personal Data against unauthorised or unlawful processingProcessing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damagedamage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
29.2.4 take reasonable steps to ensure the reliability of any Contractor Personnel who have access to the Personal Data;
29.2.5 obtain prior written consent from the DCC in order to transfer the Personal Data to any Sub-contractors or Affiliates for the provision of the Services, alterationsuch consent not to be unreasonably withheld or delayed;
29.2.6 ensure that all Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 29;
29.2.7 ensure that none of the Contractor Personnel publish, disclosure or access.
25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to disclose or otherwise make available divulge any of the personal data Personal Data to any third party unless directed in writing to do so by the DCC;
29.2.8 notify the DCC (within five (5) Working Days) unless not permitted by law or regulation if it receives:
29.2.8.1 a request from a Data Subject to have access to that person's Personal Data of which DCC is the Data Controller and Contractor is the Data Processor; or
29.2.8.2 a complaint or request relating to the DCC's obligations under the Data Protection Legislation;
29.2.9 provide the DCC with full co-operation and assistance in relation to any complaint or request made, including subby:
29.2.9.1 providing the DCC with full details of the complaint or request;
29.2.9.2 enabling the DCC to comply with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the DCC's instructions;
29.2.9.3 providing the DCC with any Personal Data it holds as Data Processor in relation to a Data Subject as a result of this Agreement (within the timescales required by the DCC); and
29.2.9.4 providing the DCC with any reasonable information requested by the DCC;
29.2.10 provide a written description of the technical and organisational methods employed by the Contractor for Processing Personal Data (with DCC providing no less than 30 days notice); and
29.2.11 not Process or otherwise transfer any Personal Data outside the European Economic Area without the consent of the DCC (not to be unreasonably withheld or denied).
29.2.11.1 the Contractor shall submit a Change Request to the DCC which shall be dealt with in accordance with the Change Control Procedure and this Clause 29.2.11;
29.2.11.2 the Contractor shall set out in its Change Request and/or Impact Assessment appropriate details of the following:
(a) the Personal Data which will be Processed and/or transferred outside the European Economic Area;
(b) the country or countries in which the Personal Data will be Processed and/or to which the Personal Data will be transferred outside the European Economic Area;
(c) any Sub-contractors or other third parties who will be Processing and/or transferring Personal Data outside the European Economic Area; and
(d) how the Contractor will ensure an adequate level of protection and employees), it may do so only adequate safeguards (in accordance with the prior written permission of Data Protection Legislation and in particular so as to ensure the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing DCC's compliance with that third party's obligations the Data Protection Legislation) in respect of its processing of the personal data. Following approval by Personal Data that will be Processed and/or transferred outside the other PartyEuropean Economic Area;
29.2.11.3 in providing and evaluating the Change Request and Impact Assessment, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that they have regard to and comply with then current Guidance on, and any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirementapprovals processes in connection with, the Parties Processing and/or transfers of Personal Data outside the European Economic Area and/or overseas generally; and
29.2.11.4 the Contractor shall keep all personal data comply with such other instructions and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to such other actions as the personal DCC may notify in writing, including:
(a) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) in this Agreement or a separate data in its possession processing agreement between the parties; and
(b) procuring that any Sub-contractor or other third party who will be Processing and/or transferring the Personal Data outside the European Economic Area enters into a direct data processing agreement with the DCC on such terms as may be required by the DCC, which the Contractor acknowledges may include the incorporation of standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under its controlthe Data Protection Legislation. The Parties Contractor shall implement and maintain appropriate safeguards against comply at all times with the risks which it identifies Data Protection Legislation as applicable and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to not perform its obligations under this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Agreement in such a manner that it canway as to cause the DCC to breach any of its applicable obligations under the Data Protection Legislation.
29.3 DCC shall comply at all times with the Data Protection Legislation and shall not be reconstructed Process Personal Data for the purposes of this Agreement in such a way as to cause the Contractor to breach any of its original form, linking it to any particular individual or organisationapplicable obligations under the Data Protection Legislation.
Appears in 2 contracts
Samples: Agreement for the Provision of Bi/Mi Services, Agreement for the Provision of Networks and FTP Services
Protection of Personal Data. 25.1 21.1 The Parties shall observe and perform their respective obligations under the Data Protection Legislation. In respect of the Personal Data processed to perform the Services the parties agree that they may obtain and have access are joint Data Controllers .Each Party shall comply with its obligations as a Data Controller under the Data Protection Legislation
21.2 Details of the Personal Data to personal be shared under this Agreement are recorded in Schedule 15. The Parties shall process the data in accordance with Schedule 15.
21.3 When one party is transferring Personal Data (the “Disclosing Party”) to the other Party (the “Receiving Party”), the Disclosing Party shall ensure that any Personal Data that is transferred:
21.3.1 has been collected in accordance with the Data Protection Legislation; and
21.3.2 the fair processing notice given to the relevant Data Subject entitles the Receiving Party to Process such Personal Data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as purposes set out in this Agreement
21.4 Neither Party shall Process Personal Data transferred under this Agreement for any purposes other than those set out in this Agreement.
21.5 Without Limitation to Clause 21.1, the Parties shall at all times ensure thateach Party shall:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical 21.5.1 Implement and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have maintain appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and/or accidental loss, destruction or damage, alteration, disclosure or access.damage to the Personal Data;
25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to 21.5.2 not disclose or otherwise make available transfer the personal data Personal Data to any third party or Staff unless necessary to perform the Services or in the case of disclosure or transfer by the Council its other statutory duties which are not delegated by these arrangements and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the other party (including save where such disclosure or transfer is specifically authorised under the Information Sharing Protocol;
21.5.3 take all reasonable steps to ensure the reliability and integrity of any employees who have access to the Personal Data and ensure that the employees:
21.5.3.1 are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless permitted by this Agreement; and
21.5.3.2 have undergone adequate training in the Data Protection Legislation and use, care, protection and handling of Personal Data;
21.5.4 notify the other Party promptly of any known breach of technical and organisational security measures where the breach has affected or could have affected Personal Data transferred under this Agreement.
21.5.5 notify the other Party promptly if a request is received form any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; and
21.5.6 notify the other Party promptly of any complaint, communication or request regarding the Processing of Personal Data pursuant to this Agreement and provide full cooperation and assistance (within a reasonable timescale) to assist the receiving party in responding to the complaint within any relevant deadlines set out in the Data Protection Legislation.
21.6 On receipt of any request or enquiry from an Information Regulator that relates to Personal Data transferred under this Agreement, each Party shall notify the other and shall provide the other with all reasonable assistance to allow the Party in receipt of the request to respond.
21.7 Each Party shall allow access to its premises and reasonable notice and provide all reasonable assistance to the other Party to provide the other Party with reasonable assurance that this Agreement is being complied with.
21.8 In the event of a request relating to Personal Data transferred under this agreement from a Data Subject:
21.8.1 for subject access, the Party who has received the request shall notify the other Party promptly. The other Party shall provide reasonable assistance to allow the Party who has received the request to respond to the Data Subject within the timescales set out in the Data Protection Legislation;
21.8.2 for the rectification or erasure of Personal Data or restriction of Processing, the Party who has received the request shall determine whether such request is valid under the Data Protection Legislation. In the event that the Party which has received the request determines that the relevant Personal Data should be rectified or erased or that any Processing shall be restricted, it shall notify the other Party promptly. The Party receiving the notification shall rectify or erase the Personal Data or restrict Processing (as applicable) promptly.
21.9 The Parties shall not Process or otherwise transfer any Personal Data in or to any Restricted Country. If, after the Effective Date, a Party wishes to Process and/or transfer any Personal Data in or to any Restricted Country, the following provisions shall apply:
21.9.1 the Party wishing to transfer the Personal Data shall submit a request to the other Party which, if agreed, shall be dealt with in accordance with Clause 21.9.2.1 to 21.9.2.4
21.9.2 the Party wishing to transfer the Personal Data shall set out in its request details of the following:
21.9.2.1 the Personal Data which will be transferred to and/or Processed in any Restricted Country;
21.9.2.2 the Restricted Country or Countries which the Personal Data will be transferred to and/or Processed in;
21.9.2.3 any sub-contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; and
21.9.2.4 how the Party wishing to transfer the Personal Data will ensure an adequate level of protection and employees), it may do adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so only with the prior written permission of as to ensure the other Party. ’s compliance with the Data Protection Legislation;
21.9.3 In providing and evaluating the request under Clause 21.9.1, the Parties shall ensure that they have regard to and comply with then current Council, Central Government Bodies and Information Regulator policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Country; and
21.9.4 The Party requiring wishing to transfer the Personal Data shall comply with such permission other instructions and shall require of all carry out such other actions as the other Party may notify in writing, including;
21.9.4.1 incorporating standard and/or model clauses (which are in line with Good Industry Practice and offer adequate safeguards under the Data Protection Legislation) into this Agreement or a separate data processing agreement between the Parties; and
21.9.4.2 procuring that any sub-contractor or other third parties, appropriate written undertakings to party who will be provided, containing similar Processing and/or receiving or accessing the Personal Data in any Restricted Country either enters into:
21.9.4.2.1 a direct data processing agreement with the other party on such terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval as may be required by the other Party, ; or
21.9.4.2.2 a data processing agreement with the Party requiring permission agrees that wishing to transfer the provisions of this clause 25 shall mutatis mutandis apply Personal Data on terms which are equivalent to all authorised third parties who process personal data.
25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees those agreed between the other party and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks sub- contractor relating to the personal data relevant Personal Data transfer; and in its possession or each case the Party wishing to transfer the Personal Data acknowledges such agreements may include the incorporation of model contract provisions (which are in line with Good Industry Practice as offering adequate safeguards under its control. The Parties shall implement the Data Protection Legislation) and maintain appropriate safeguards against the risks technical and organisation measures which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves deems necessary for the purpose of protection of Personal Data.
21.10 The Trust must nominate an Information Governance Lead, a Caldicott Guardian and Senior Information Risk Owner and advise the Council of the identities and contact details of those individuals.
21.11 The Trust must report any serious data security breaches it makes to the Information Regulator in accordance with the NHS Information Governance Toolkit and the Council must report any serious data security breaches it makes to the Information Regulator in accordance with its policy governing information security incidents from time to time which takes account of the guidance published by the Information Regulator for which the public sector on self-reporting. Where a Party has reported in this way, it was collected must consider the mitigating measures that are to be put in relation place to this Agreement, subject minimise damage to any legal retention requirementsall affected and potentially affected parties. This may be at the request of Each Party shall use its reasonable endeavours to assist the other Party and includes circumstances where a person has requested in complying with its obligations under the Parties to delete all instances of their personal dataData Protection Legislation. The information will be destroyed Each Party shall not perform its obligations under this Agreement in such a manner way as to cause the other Party to breach its obligations under the Data Protection Legislation to the extent it is reasonably aware or ought reasonably to have been aware, that it cannot the same would be reconstructed a breach of such obligations.
21.12 The Parties acknowledge their respective obligations arising under the Data Protection Legislation, EIR and HRA, and under the common law duty of confidentiality, and must assist each other as necessary to its original form, linking it enable each other to any particular individual or organisationcomply with these obligations.
Appears in 2 contracts
Samples: Section 75 Agreement, Section 75 Agreement
Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for Where any Personal Data are Processed in connection with the duration exercise of the Agreement for the fulfilment of the Parties’ rights and obligations contained herein. In performing the obligations as set out in under this AgreementCall Off Contract, the Parties shall acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures has in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and/or accidental loss, destruction destruction, or damagedamage to the Personal Data, alteration, disclosure or access.
25.2 The Parties agree that if personal data will be processed for additional purposes beyond including the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to measures as are set out in Clauses 34.1 (Security Requirements) and 34.3 (Protection of Customer Data); not disclose or otherwise make available transfer the personal data Personal Data to any third party (including sub-contractors or Supplier Personnel unless necessary for the provision of the Goods and employees)Services and, it may do so only with for any disclosure or transfer of Personal Data to any third party, obtain the prior written permission consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.7.2 and Clauses 34.1 (Security Requirements), 34.3 (Protection of Customer Data) and 34.4 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other Partyrequest, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 34.7.2(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 34.7.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Party requiring such permission Supplier shall require of all such third parties, appropriate written undertakings not Process or cause or permit any Personal Data to be providedtransferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together Restricted Countries) without Approval. If, containing similar terms after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to that Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 34.7.3(b) to 34.7.3(d); the Supplier shall set forth out in this clause 25its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries, including the purpose for the transfer; (if applicable) the countries through which the Personal Data will be transited and dealing with that the nature of the transit; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third party's obligations parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of its processing of the personal data. Following approval by Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the other PartyCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirementapprovals processes in connection with, the Parties Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall keep all personal data comply with such other instructions and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to identify all reasonably foreseeable internal those agreed between the Customer and external risks the Sub-Contractor relating to the personal data relevant Personal Data transfer, and in its possession or each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under its controlthe DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Parties Supplier shall implement and maintain appropriate safeguards against use its reasonable endeavours to assist the risks which it identifies Customer to comply with any obligations under the DPA and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to not perform its obligations under this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Call Off Contract in such a manner way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that it cannot the same would be reconstructed to its original form, linking it to any particular individual or organisationa breach of such obligations.
Appears in 2 contracts
Samples: Call Off Order Form and Call Off Terms, Call Off Contract
Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual ororganisation.
25.7 Personal Information security breach: Supplier/Service Provider’s Obligations
a) The Supplier/Service Provider shall notify the Information Officer of Transnet, in writing as soon as possible after it becomes aware of or organisationsuspects any loss, unauthorised access or unlawful use of any personal data and shall, at its own cost, take all necessary remedial steps to mitigate the extent of the loss or compromise of personal data and to restore the integrity of the affected Goods/Services as quickly as is possible. The Supplier/Service Provider shall also be required to provide Transnet with details of the persons affected by the compromise and the nature and extent of the compromise, including details of the identity of the unauthorised person who may have accessed or acquired the personal data.
b) The Supplier/Service Provider shall provide on-going updates on its progress in resolving the compromise at reasonable intervals until such time as the compromise is resolved.
c) Where required, the Supplier/Service Provider may be required to notify the South African Police Service; and/or the State Security Agency and where applicable, the relevant regulator and/or the affected persons of the security breach. Any such notification shall always include sufficient information to allow the persons to take protective measures against the potential consequences of the compromise.
d) The Supplier/Service Provider undertakes to co‑operate in any investigation relating to security which is carried out by or on behalf of Transnet including providing any information or material in its possession or control and implementing new security measures.
Appears in 2 contracts
Samples: Master Agreement, Master Agreement
Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for Where any Personal Data are Processed in connection with the duration exercise of the Agreement for the fulfilment of the Parties’ rights and obligations contained herein. In performing the obligations as set out in under this AgreementCall Off Contract, the Parties shall acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures has in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and/or accidental loss, destruction destruction, or damagedamage to the Personal Data, alteration, disclosure or access.
25.2 The Parties agree that if personal data will be processed for additional purposes beyond including the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to measures as are set out in Clauses 34.1 (Security Requirements) and 34.2 (Protection of Customer Data); not disclose or otherwise make available transfer the personal data Personal Data to any third party (including sub-contractors and employees)or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, it may do so only with for any disclosure or transfer of Personal Data to any third party, obtain the prior written permission consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.6.2 and Clauses 34.1 (Security Requirements), 34.2 (Protection of Customer Data) and 34.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other Partyrequest, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 34.6.2(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 34.6.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Party requiring such permission Supplier shall require of all such third parties, appropriate written undertakings not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be providedadequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, containing similar terms after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to that Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 34.6.3(b) to 34.6.3(c); the Supplier shall set forth out in this clause 25, its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and dealing with that any Sub-Contractors or other third party's obligations parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of its processing of the personal data. Following approval by Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the other PartyCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirementapprovals processes in connection with, the Parties Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall keep all personal data comply with such other instructions and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to identify all reasonably foreseeable internal those agreed between the Customer and external risks the Sub-Contractor relating to the personal data relevant Personal Data transfer, and in its possession or each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under its controlthe DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Parties Supplier shall implement and maintain appropriate safeguards against use its reasonable endeavours to assist the risks which it identifies Customer to comply with any obligations under the DPA and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to not perform its obligations under this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Call Off Contract in such a manner way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that it cannot the same would be reconstructed to its original form, linking it to any particular individual or organisationa breach of such obligations.
Appears in 2 contracts
Samples: Call Off Agreement, Call Off Contract
Protection of Personal Data. 25.1 With respect to the Parties' rights and obligations under this DPS Agreement, the Parties acknowledge that the Authority is the Controller and that the Supplier is the Processor. The Parties agree only Processing that they the Supplier is authorised to do is as specified in Schedule 13 of this DPS Agreement and may obtain not be determined by the Supplier. The Supplier shall: notify the Authority immediately if it considers that any of the Authority's instructions infringe the Data Protection Legislation; provide all reasonable assistance to the Authority in the preparation of any Data Protection Impact Assessment prior to commencing any Processing. Such assistance may, at the discretion of the Authority, include: a systematic description of the envisaged Processing operations and the purpose of the Processing; an assessment of the necessity and proportionality on the Processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Supplier shall, in relation to any Personal Data Processed in connection with its obligations under this DPS Agreement: process the Personal Data only in accordance with DPS Agreement Schedule 13, unless the Supplier is required to do otherwise by Law. If it is so required the Supplier shall promptly notify the Authority before Processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which have been reviewed and approved by the Authority as appropriate to protect against a Data Loss Event having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that: the Supplier Personnel do not Process Personal Data except in accordance with this DPS Agreement (and in particular DPS Agreement Schedule 13); it takes all reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to personal data for the duration Personal Data and ensure that they: are aware of and comply with the Supplier’s duties under this Clause; are subject to appropriate confidentiality undertakings with the Supplier or any Sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Authority or as otherwise permitted by this DPS Agreement; and have undergone adequate training in the use, care, protection and handling of Personal Data. not transfer Personal Data outside of the European Union (“EU”) unless the prior written consent of the Authority has been obtained and the following conditions are fulfilled: the Authority or the Supplier has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Authority; the Data Subject has enforceable rights and effective legal remedies; the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Authority in meeting its obligations); and the Supplier complies with any reasonable instructions notified to it in advance by the Authority with respect to the Processing of the Personal Data. at the written direction of the Authority, delete or return Personal Data (and any copies of it) to the Authority on termination of the DPS Agreement unless the Supplier is required by Law to retain the Personal Data. Subject to Clause 21.6.5, the Supplier shall notify the Authority immediately if it: receives a Data Subject Access Request (or purported Data Subject Access Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data Processed under this DPS Agreement; receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Loss Event. Taking into account the fulfilment nature of the Processing, the Supplier shall provide the Authority with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 21.6.4 (and insofar as possible within the timescales reasonably required by the Authority) including by promptly providing: the Authority with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Authority to enable the Authority to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; the Authority, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the Authority following any Data Loss Event; and assistance as requested by the Authority with respect to any request from the Information Commissioner’s Office, or any consultation by the Authority with the Information Commissioner's Office. The Supplier shall maintain complete and accurate records and information to demonstrate its compliance with this Clause. This requirement does not apply where the Supplier employs fewer than two hundred and fifty (250) staff, unless: the Authority determines that the Processing is not occasional; the Authority determines the Processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and the Authority determines that the Processing is likely to result in a risk to the rights and obligations contained hereinfreedoms of Data Subjects. In performing The Supplier shall allow for audits of its Data Processing activity by the obligations as Authority or the Authority’s designated auditor. The Supplier shall designate a Data Protection Officer if required by the Data Protection Legislation. Before allowing any Sub-processor to Process any Personal Data related to this DPS Agreement, the Supplier must: (a) notify the Authority in writing of the intended Sub-processor and Processing; (b) obtain the written consent of the Authority; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this Agreement, the Parties shall at all times ensure that:
a) Clause 21.6 such that they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.Sub-processor; and
Appears in 2 contracts
Samples: Dynamic Purchasing System Agreement, Dynamic Purchasing System Agreement
Protection of Personal Data. 25.1 26.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 26.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 26.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25clause26, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 26 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 26.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 26.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 26.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 2 contracts
Samples: Master Agreement, Master Agreement
Protection of Personal Data. 25.1 17.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 17.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 17.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2516.116.1, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 16.1 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 17.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 17.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 17.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.includes
Appears in 2 contracts
Samples: Master Agreement, Master Agreement
Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access Arrangement between the Parties
36.1 With respect to personal data for the duration of the Agreement for the fulfilment of the Parties' rights and obligations contained herein. In performing the obligations as set out in under this Agreement, the Parties shall at all times ensure thatacknowledge that the DCC is a Data Controller and that the Contractor is a Data Processor. In respect of the Contractor's Processing under this Agreement:
a) they process data only for 36.1.1 the express subject-matter, nature and purpose for which it was obtained;
b) once processed of the Processing will be DCC employee and supply chain contact details used for the purposes for which it was obtained, all data of liaising with such parties to perform the Services and/or as required to assist in delivering the Objectives;
36.1.2 the type of Personal Data being processed will be destroyed to an extent that it cannot be reconstructed to its original formPersonal Data of names, contact addresses, email addresses and telephone numbers;
c) data is provided 36.1.3 the duration of the Processing shall be the term of this Agreement; and
36.1.4 the parties will use the Variation Procedure to agree any changes to this clause for the Transition to Live and Operational Phase. Processor obligations
36.2 The Contractor shall:
36.2.1 Process the Personal Data only in accordance with instructions from the DCC to authorised personnel who strictly require the personal data to carry out the Parties’ respective perform its obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have 36.2.2 ensure that at all reasonable technical and organisational measures times it has in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected guard against unauthorised or unlawful processing, processing of the Personal Data and/or accidental loss, destruction or damagedamage to the Personal Data, alterationincluding the measures as are set out in Clause 35 (DCC Data), disclosure or access.Clause 41 (Security Requirements) and the Security Management Plan;
25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to 36.2.3 not disclose or otherwise make available transfer the personal data Personal Data to any third party or Contractor Personnel, or allow a third party or Contractor Personnel access to the Personal Data, unless necessary for the provision of the Services and:
(including sub-contractors and employees)a) for any disclosure or transfer of Personal Data to any third party, it may do so only with the prior written permission consent of the DCC;
(b) where the Contractor wishes to appoint a sub-Processor, in compliance with Clause 27 (Supply Chain Rights) and any applicable conditions under such Clause 27 (Supply Chain Rights) or Clause 36.3;
36.2.4 take all reasonable steps to ensure the reliability and integrity of any Contractor Personnel who have access to the Personal Data and ensure that the Contractor Personnel:
(i) are aware of and comply with the Contractor’s duties under this Clause 36.2 and Clauses 37 (Confidentiality), 35 (DCC Data) and 41 (Security Requirements);
(ii) are subject to appropriate confidentiality undertakings with the Contractor or the relevant Sub- contractor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the DCC or as otherwise permitted by this Agreement; and
(iv) have undergone adequate training in the use, care, protection and handling of personal data (as defined in the Data Protection Laws);
36.2.5 notify the DCC within 48 hours if it:
(a) receives from a Data Subject (or third party on their behalf):
(i) a Data Subject Access Request (or purported Data Subject Access Request);
(ii) a request to rectify, block or erase any Personal Data; or
(iii) any other request, complaint or communication relating to either Party. The Party requiring 's obligations under the Data Protection Laws;
(b) considers that any of the instructions from the DCC infringe the Data Protection Laws;
(c) receives any Regulator Correspondence or any other any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data Processed under this Agreement;
(d) receives a request from any third party for disclosure of Personal Data where compliance with such permission shall require of all such third parties, appropriate written undertakings request is required or purported to be providedrequired by Law; or
(e) is required by Law to commit an act or omission that would, containing similar terms to that set forth in but for Clause 36.2, constitute a breach of this clause 25, Clause 36;
36.2.6 provide the DCC with full co-operation and dealing with that third party's obligations in respect of its processing of assistance (within the personal data. Following approval timescales reasonably required by the other Party, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third partiesDCC) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to either Party's obligations under the Data Protection Laws or any complaint, communication or request made as referred to in Clause 36.2.5, including by promptly providing:
(a) the DCC with full details and copies of the complaint, communication or request;
(b) where applicable, such assistance as is reasonably requested by the DCC to enable the DCC to comply with the Data Subject Access Request within the relevant timescales set out in the Data Protection Laws; and
(c) the DCC, on request by the DCC, with any Personal Data it holds in relation to a Data Subject; and
36.2.7 assistance following a security breach or incident involving Personal Data as required by the DCC including with respect to the DCC's consultation with the Information Commissioner's Office; and
36.2.8 if requested by the DCC, provide a written description of the measures that it has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this AgreementClause 36 and provide to the DCC copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals.
36.3 The Contractor shall not Process or otherwise transfer any Personal Data in or to any Restricted Country without the DCC's prior written consent. If, after the Commencement Date, the Contractor or any Sub-contractor wishes to Process and/or transfer any Personal Data in or to any Restricted Country, the Contractor shall, in seeking consent, submit such information as the DCC's shall require in order to enable it to consider the request and acknowledges that such consent may be given subject to any legal retention requirements. This may conditions which will, if appropriate, be incorporated into this Agreement at the request of Contractor's cost and expense using the other Party Variation Procedure.
36.4 The Contractor shall use its reasonable endeavours to assist the DCC to comply with any obligations under the Data Protection Laws and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed shall not perform its obligations under this Agreement in such a manner way as to cause the DCC to breach any of the DCC’s obligations under the Data Protection Laws to the extent the Contractor is aware, or ought reasonably to have been aware, that it cannot the same would be reconstructed a breach of such obligations.
36.5 The Contractor shall indemnify and keep indemnified the DCC at all times against any Losses incurred by the DCC in connection with the Contractor's breach of this Clause 36 and/or any failure by the Contractor or any Sub- contractor to its original form, linking it comply with their respective obligations under Data Protection Laws.
36.6 Nothing in this Clause 36 shall be construed as requiring the Contractor or any relevant Sub-contractor to be in breach of any particular individual or organisationData Protection Laws.
Appears in 2 contracts
Samples: Agreement for the Provision of Software Development and Related Services, Agreement for the Provision of Software Development and Related Services
Protection of Personal Data. 25.1 17.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 17.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 17.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 251716.1, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 17 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 17.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 17.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 17.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 2 contracts
Samples: Master Agreement, Master Agreement
Protection of Personal Data. 25.1 The Parties agree acknowledge that they for the purposes of the Data Protection Legislation, the factual activity carried out by each of them in relation to their respective obligations under this Call Off Contract dictates the classification of each party. In certain circumstances, a Party may obtain act as “Joint Controller” or a “Controller” or a “Processor”. Each Party, where it is a Controller, shall be responsible for its own compliance with all its obligations under the Data Protection Legislation. Where a Party acts as a Processor in relation to Personal Data where the other Party is Controller, the first Party shall comply and shall procure that any subprocessor complies with the Processor’s obligations in this Call Off Contract to the extent applicable. The only processing that the Processor is authorised to do is listed in Schedule 15 (Processing Personal Data) by the Controller and may not be determined by the Processor. The Processor shall notify the Controller immediately if it considers that any of the Controller’s instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Call Off Contract: process that Personal Data only in accordance with Schedule 15 (Processing Personal Data), unless the Processor is required to do otherwise by the requirements of the Call Off Contract or Law. If it is so required the Processor shall promptly notify the Buyer before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures) having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except in accordance with this Call Off Contract (and in particular Schedule 15 (Processing Personal Data)); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to personal data for the duration Personal Data and ensure that they: are aware of and comply with the Processor’s duties under this Xxxxxx; are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; are informed of the Agreement confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of Personal Data; not transfer Personal Data outside of the EU unless the prior written consent of the Buyer has been obtained and the following conditions are fulfilled: the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; the Data Subject has enforceable rights and effective legal remedies; the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Call Off Contract unless the Processor is required by Law to retain the Personal Data. Subject to Clause 21.5.7, the Processor shall notify the Controller immediately if it: receives a Data Subject Access Request (or purported Data Subject Access Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Call Off Contract; receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Loss Event. The Processor’s obligation to notify under Clause 21.5.5 shall include the fulfilment provision of further information to the Controller in phases, as details become available. Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 21.5.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: the Controller with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the Controller following any Data Loss Event; assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Buyer with the Information Commissioner's Office. The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this Clause. This requirement does not apply where the Processor employs fewer than 250 staff, unless: the Controller determines that the processing is not occasional; the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and the Controller determines that the processing is likely to result in a risk to the rights and obligations contained hereinfreedoms of Data Subjects. In performing The Processor shall allow for audits of its Data Processing activity by the obligations as Controller or the Controller’s designated auditor. The Processor shall designate a Data Protection Officer if required by the Data Protection Legislation. Before allowing any Sub-processor to process any Personal Data related to this Call Off Contract, the Processor must: notify the Controller in writing of the intended Sub-processor and processing; obtain the written consent of the Controller; enter into a written agreement with the Sub-processor which give effect to the terms set out in this Agreement, Clause 21.5.11 such that they apply to the Parties Sub-processor; and provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. The Processor shall at remain fully liable for all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data acts or omissions of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 any Sub-processor. The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to take account of any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval guidance issued by the other Party, the Party requiring permission agrees that the provisions of Information Commissioner’s Office and amend this clause 25 shall mutatis mutandis apply Call Off Contract to all authorised third parties who process personal data.
25.4 The Parties shall ensure that it complies with any persons authorized to process data on their behalf (including employees and third parties) will safeguard guidance issued by the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by itInformation Commissioner’s Office.
25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 2 contracts
Protection of Personal Data. 25.1 23.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 23.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 23.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2524, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 2423 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 23.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 23.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 23.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 2 contracts
Samples: Master Agreement, Master Agreement
Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for Where any Personal Data are Processed in connection with the duration exercise of the Agreement for the fulfilment of the Parties’ rights and obligations contained herein. In performing the obligations as set out in under this AgreementCall Off Contract, the Parties shall acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures has in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and/or accidental loss, destruction destruction, or damagedamage to the Personal Data, alteration, disclosure or access.
25.2 The Parties agree that if personal data will be processed for additional purposes beyond including the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to measures as are set out in Clauses 37.1 (Security Requirements) and 37.2 (Protection of Customer Data); not disclose or otherwise make available transfer the personal data Personal Data to any third party (including sub-contractors and employees)or Supplier Personnel unless necessary for the provision of the Products and/or Servicesand, it may do so only with for any disclosure or transfer of Personal Data to any third party, obtain the prior written permission consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under Clause 37.5.2 and Clauses 37.1 (Security Requirements), 37.2 (Protection of Customer Data) and 37.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other Partyrequest, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 37.5.2(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to Clause 37.5.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Party requiring such permission Supplier shall require not Process or otherwise transfer any Personal Data in or to a Restricted Country. If, after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 37.5.3(b) to 37.5.3(c); the Supplier shall set out in its proposal to the Customer for a Variation details of all such the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties, appropriate written undertakings to parties who will be provided, containing similar terms to that set forth Processing and/or receiving Personal Data in this clause 25, Restricted Countries; how the Supplier will ensure an adequate level of protection and dealing with that third party's obligations adequate safeguards in respect of its processing of the personal data. Following approval by Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the other PartyCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirementapprovals processes in connection with, the Parties Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall keep all personal data comply with such other instructions and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to identify all reasonably foreseeable internal those agreed between the Customer and external risks the Sub-Contractor relating to the personal data relevant Personal Data transfer, and in its possession or each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under its controlthe DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Parties Supplier shall implement and maintain appropriate safeguards against use its reasonable endeavours to assist the risks which it identifies Customer to comply with any obligations under the DPA and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to not perform its obligations under this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Call Off Contract in such a manner way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that it cannot the same would be reconstructed to its original form, linking it to any particular individual or organisationa breach of such obligations.
Appears in 2 contracts
Samples: Call Off Contract, Call Off Order Form
Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access With respect to personal data for the duration of the Agreement for the fulfilment of the parties' rights and obligations contained hereinunder this Contract, the parties agree that the Customer is the Data Controller and that the Service Provider is the Data Processor. In performing The Service Provider shall: Process the obligations Personal Data only in accordance with instructions from the Customer (which may be specific instructions or instructions of a general nature as set out in this AgreementContract or as otherwise notified by the Customer to the Service Provider during the Contract Period); Process the Personal Data only to the extent, the Parties shall at all times ensure that:
a) they process data only and in such manner, as is necessary for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data provision of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures in place to safeguard protect the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected Personal Data against unauthorised or unlawful processingProcessing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damagedamage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Staff who have access to the Personal Data; obtain prior written consent from the Customer in order to transfer the Personal Data to any Sub-contractors or Affiliates for the provision of the Services; ensure that all Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 6.4; ensure that none of Staff publish, alteration, disclosure or access.
25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to disclose or otherwise make available divulge any of the personal data Personal Data to any third party unless directed in writing to do so by the Customer; notify the Customer (within five Working Days or such other period as specified in the Order Form (if any)) if it receives: a request from a Data Subject to have access to that person's Personal Data; or a complaint or request relating to the Customer's obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made, including sub-contractors by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and employeesin accordance with the Customer's instructions; providing the Customer with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Customer; permit the Customer or the Customer Representative (subject to reasonable and appropriate confidentiality undertakings), it may do so only to inspect and audit, the Service Provider's data Processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Service Provider is in full compliance with its obligations under this Contract; provide a written description of the technical and organisational methods employed by the Service Provider for Processing Personal Data (within the timescales required by the Customer); and not Process Personal Data outside the European Economic Area without the prior written permission consent of the other PartyCustomer and, where the Customer consents to a transfer, to comply with: the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and any reasonable instructions notified to it by the Customer. The Party requiring such permission Service Provider shall require of comply at all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing times with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies Data Protection Legislation and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to not perform its obligations under this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Contract in such a manner that it cannot be reconstructed way as to cause the Customer to breach any of its original form, linking it to any particular individual or organisationapplicable obligations under the Data Protection Legislation.
Appears in 2 contracts
Samples: Ict Consultancy and Delivery Services Framework Agreement, Ict Consultancy and Delivery Services Framework Agreement
Protection of Personal Data. 25.1 The Parties parties agree that they may obtain as at the Signature Date, the provisions of Clause 29 in their entirety do not apply to this agreement on the basis that the Contractor will not receive or process any Personal Data as a Data Processor for in the performance of its Services.
29.1 To the extent that personal date is processed and have access with respect to personal data for the duration of the Agreement for the fulfilment of the parties' rights and obligations contained herein. In performing under this Agreement, the obligations parties agree that the DCC is either the Data Controller or the Data Processor and that the Contractor is the Data Processor.
29.2 To the extent that the Contractor processes Personal Data as the Data Processor for DCC, the Contractor shall:
29.2.1 Process the Personal Data only in accordance with instructions from the DCC as to the manner and purpose of the processing of this Personal Data (which may be specific instructions or instructions of a general nature as set out in this Agreement, Agreement or as otherwise notified by the Parties shall at all times ensure that:
a) they process data only for DCC to the express purpose for Contractor during the Service Period). Any such instructions which it was obtained;
b) once processed for are inconsistent with the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective parties' rights and obligations under this AgreementAgreement shall be dealt with in accordance with the Change Control Procedure;
d) they do not disclose personal data 29.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the other Party, other than in terms of this AgreementServices or as is required by Law;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have 29.2.3 implement appropriate technical and organisational measures in place to safeguard protect the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected Personal Data against unauthorised or unlawful processingProcessing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damagedamage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
29.2.4 take reasonable steps to ensure the reliability of any Contractor Personnel who have access to the Personal Data;
29.2.5 obtain prior written consent from the DCC in order to transfer the Personal Data to any Sub-contractors or Affiliates for the provision of the Services, alterationsuch consent not to be unreasonably withheld or delayed;
29.2.6 ensure that all Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 29;
29.2.7 ensure that none of the Contractor Personnel publish, disclosure or access.
25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to disclose or otherwise make available divulge any of the personal data Personal Data to any third party (including sub-contractors and employees), it may unless directed in writing to do so only with by the prior written permission of DCC;
29.2.8 notify the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings DCC (within five (5) Working Days) unless not permitted by law or regulation if it receives:
29.2.8.1 a request from a Data Subject to be provided, containing similar terms have access to that set forth in this clause 25, person's Personal Data of which DCC is the Data Controller and dealing with that third partyContractor is the Data Processor; or
29.2.8.2 a complaint or request relating to the DCC's obligations in respect of its processing of under the personal data. Following approval by Data Protection Legislation;
29.2.9 provide the other Party, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees DCC with full co-operation and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected assistance in relation to this Agreementany complaint or request made, subject to any legal retention requirements. This may be at including by:
29.2.9.1 providing the request DCC with full details of the other Party complaint or request;
29.2.9.2 enabling the DCC to comply with a data access request within the relevant timescales set out in the Data Protection Legislation and includes circumstances where in accordance with the DCC's instructions;
29.2.9.3 providing the DCC with any Personal Data it holds as Data Processor in relation to a person has Data Subject as a result of this Agreement (within the timescales required by the DCC); and
29.2.9.4 providing the DCC with any reasonable information requested by the Parties DCC;
29.2.10 provide a written description of the technical and organisational methods employed by the Contractor for Processing Personal Data (with DCC providing no less than 30 days notice); and
29.2.11 not Process or otherwise transfer any Personal Data outside the European Economic Area without the consent of the DCC (not to delete all instances of their personal data. The information will be destroyed unreasonably withheld or denied).
29.2.11.1 the Contractor shall submit a Change Request to the DCC which shall be dealt with in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.accordance with the Change Control Procedure and this Clause 29.2.11;
Appears in 1 contract
Samples: Agreement for the Provision of Smart Meter Key Infrastructure (Smki) Services
Protection of Personal Data. 25.1 28.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised authorized personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational organizational measures in place to protect all personal data from unauthorised unauthorized access and/or andor use;
f) they have appropriate technical and organisational organizational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised unauthorized or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 28.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 28.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2529, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 29 shall mutatis mutandis apply to all authorised authorized third parties who process personal data.
25.4 28.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 28.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks risks, which it identifies and shall also regularly regularly, verify that the safeguards which it has in place has been effectively implemented.
25.6 28.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisationororganization.
Appears in 1 contract
Samples: Master Agreement
Protection of Personal Data. 25.1 21.1 OPAP S.A. implements a Personal Data Protection Policy, in accordance with the General Data Protection Regulation [Regulation (EU) 2016/679] and L. 4624/2019 (Α΄ 137), which Policy is posted on the Website.
21.2 The Parties agree legal basis for the processing of the Player’s personal data, and detailed information regarding the purposes, the duration of processing and the rights of the Player concerning the processing of his/her personal data are included in the Personal Data Protection Policy.
21.3 By accepting the Personal Data Protection Policy, the subject of the data shall be informed on their processing, in accordance with the terms therein.
21.4 OPAP S.A. observes the General Data Protection Regulation and L. 4624/2019 (Α' 137), takes all appropriate preventive technical and organization measures so that is restrict the risk of illegal data processing and of Players’ identification through technical or other means that can reasonably be used by third parties, safeguarding that itself, anyone executing the processing, as well as those having an employment, project or order relationship with it do not share the identity of the persons they know that Participate in the Games or who have acquired any winnings or have lost any amount by such Participation thereof, and that they may obtain do not share, for any reason, their personal details and data without the prior written consent of the Player, unless such consent is not required when the data are made available in the context of obligations borne by the Holder and those having an employment, project or order relationship with it, per the law, as well as when such data are necessary to raise or refute claims in the framework of litigations and for the defense of the legitimate interest of the Holder or of third parties , provided that it prevails over the Player’s rights.
21.5 When consent is required, the Player, as the data subject, shall have the right to revoke it at any time; however, the revocation of the consent shall not affect the lawfulness of the processing based on the consent prior to its revocation.
21.6 The Player, as the data subject, shall be informed on any amendment or expansion of the purposes of processing and of the categories of the data to be processed, in order to provide a new consent, otherwise the Agreement shall be dissolved ex officio.
21.7 The Player, as the data subject, is obliged to immediately inform XXXX S.A. in case the data recorded during his/her registration on the Website have changed, either by himself/herself proceeding to the updating of the details of his/her Online Account, or via communication with OPAP S.A., by observing the provisions of the AML Regulation.
21.8 The HGC, as well as any other competent public body or authority shall have access to personal the data and shall be allowed to process them when such processing is necessary for the duration fulfillment of an obligation executed in favor of the Agreement for public interest or during the fulfilment exercise of the rights public power having been assigned to them.
21.9 The Player, as the data subject, shall accept and obligations contained herein. In performing declare that he/she was informed on the obligations as set out in this AgreementPersonal Data Protection Policy of OPAP S.A., otherwise the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it canAgreement may not be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or accessconcluded.
25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 1 contract
Samples: Accession Agreement
Protection of Personal Data. 25.1 27.1 The Parties agree Supplier shall (and shall procure that they may obtain and have access to personal data for any of its Staff and/or Sub-Contractors involved in the duration provision of the Agreement for Agreement) comply with any notification requirements under the fulfilment of Data Protection Legislation and both Parties will duly observe their obligations under the rights and obligations contained herein. In performing the obligations as set out Data Protection Legislation, which arise in connection with this Agreement.
27.2 Notwithstanding the general obligation in Clause 27.1, where the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtainedSupplier or any of its Staff and/or Sub-Contractors, all data will be destroyed to an extent that it cannot be reconstructed to in performing its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data , processes Personal Data as a Data Processor on behalf of the other PartyCustomer, other than in terms of this Agreement;the Supplier shall and shall procure that its Staff and/or Sub-Contractors:
e) they have all reasonable technical and organisational measures 27.2.1 ensure that has in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational contractual measures in place to safeguard ensure the security, integrity security of the Personal Data (and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected to guard against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval Personal Data and against accidental loss or destruction of, or damage to, the Personal Data), as required under the Seventh Data Protection Principle in Schedule 1 to the Data Protection Xxx 0000;
27.2.2 provide the Customer with such information as the Customer may reasonably require to satisfy itself that the [Service Provider] is complying with its obligations under the Data Protection Legislation;
27.2.3 promptly notify the Customer of any breach of the security measures required to be put in place pursuant to Clause 27.2.1;
27.2.4 ensure it does not knowingly or negligently do or omit to do anything which places the Customer in breach of the Customer's obligations under the Data Protection Legislation;
27.2.5 not without the Customer’s prior written consent (which the Customer may withhold at its absolute discretion), do anything which would cause Personal Data to be transferred outside the European Economic Area
27.2.6 act only on instructions from the Customer as Data Controller; and
27.2.7 comply with the Customer’s instructions in relation to the processing of Personal Data as such instructions are given and varied from time to time by the other Party, Customer.
27.3 The Supplier undertakes to use best endeavours to procure that its Sub-Contractors maintain appropriate security systems.
27.4 The Supplier shall ensure that its contracts with its Sub-Contractors include provisions which oblige each Sub-Contractor to promptly notify the Party requiring permission agrees Customer of any breach of security in relation to the Supplier's Confidential Information or data.
27.5 The Supplier shall ensure that its contracts with its Sub-Contractors impose an obligation on each Sub-Contractor to co-operate with the Supplier and/or Customer in any investigation that either considers necessary to undertake as a result of any breach of security in relation to the Customer's Confidential Information or data.
27.6 The provisions of this clause 25 Clause 27 shall mutatis mutandis apply to all authorised third parties who process personal dataduring the continuance of this Agreement and indefinitely after its expiry or termination.
25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 1 contract
Samples: Framework Agreement
Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) : they process data only for the express purpose for which it was obtained;
b) ; once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) ; data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) ; they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) ; they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) ; they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) ; such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 . The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 . Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 250, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 0 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 . The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 . The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 . The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation. Personal Information security breach: Supplier/Service Provider’s Obligations The Supplier/Service Provider shall notify the Information Officer of Transnet, in writing as soon as possible after it becomes aware of or suspects any loss, unauthorised access or unlawful use of any personal data and shall, at its own cost, take all necessary remedial steps to mitigate the extent of the loss or compromise of personal data and to restore the integrity of the affected Goods/Services as quickly as is possible. The Supplier/Service Provider shall also be required to provide Transnet with details of the persons affected by the compromise and the nature and extent of the compromise, including details of the identity of the unauthorised person who may have accessed or acquired the personal data. The Supplier/Service Provider shall provide on-going updates on its progress in resolving the compromise at reasonable intervals until such time as the compromise is resolved. Where required, the Supplier/Service Provider may be required to notify the South African Police Service; and/or the State Security Agency and where applicable, the relevant regulator and/or the affected persons of the security breach. Any such notification shall always include sufficient information to allow the persons to take protective measures against the potential consequences of the compromise. The Supplier/Service Provider undertakes to co‑operate in any investigation relating to security which is carried out by or on behalf of Transnet including providing any information or material in its possession or control and implementing new security measures. The Parties hereby undertake the following with regard to Confidential Information: not to divulge or disclose to any person whomsoever in any form or manner whatsoever, either directly or indirectly, any Confidential Information of the other without the prior written consent of such other Party, other than when called upon to do so in accordance with a statute, or by a court having jurisdiction, or by any other duly authorised and empowered authority or official, in which event the Party concerned shall do what is reasonably possible to inform the other of such a demand and each shall assist the other in seeking appropriate relief or the instituting of a defensive action to protect the Confidential Information concerned; not to use, exploit, permit the use of, directly or indirectly, or in any other manner whatsoever apply the Confidential Information disclosed to it as a result of this Agreement, for any purpose whatsoever other than for the purpose for which it is disclosed or otherwise than in strict compliance with the provisions in this Agreement; not to make any notes, sketches, drawings, photographs or copies of any kind of any part of the disclosed Confidential Information without the prior written consent of such other Party, except when reasonably necessary for the purpose of this Agreement, in which case such copies shall be regarded as Confidential Information; not to de-compile, disassemble or reverse engineer any composition, compilation, concept application, item, component de-compilation, including software or hardware disclosed and shall not analyse any sample provided by Transnet, or otherwise determine the composition or structure or cause to permit these tasks to be carried out except in the performance of its obligations pursuant to this Agreement; not to exercise less care to safeguard Transnet Confidential Information than the Party exercises in safeguarding its own competitive, sensitive or Confidential Information; Confidential Information disclosed by either Party to the other or by either Party to any other party used by such party in the performance of this Agreement, shall be dealt with as “restricted” or shall be dealt with according to any other appropriate level of confidentiality relevant to the nature of the information concerned, agreed between the Parties concerned and stipulated in writing for such information in such cases; the Parties shall not make or permit to be made by any other person subject to their control, any public statements or issue press releases or disclose Confidential Information with regard to any matter related to this Agreement, unless written authorisation to do so has first been obtained from the Party first disclosing such information; each Party shall be entitled to disclose such aspects of Confidential Information as may be relevant to one or more technically qualified employees or consultants of the Party who are required in the course of their duties to receive the Confidential Information for the Permitted Purpose provided that the employee or consultant concerned has a legitimate interest therein, and then only to the extent necessary for the Permitted Purpose, and is informed by the Party of the confidential nature of the Confidential Information and the obligations of the confidentiality to which such disclosure is subject and the Party shall ensure such employees or consultants honour such obligations; each Party shall notify the other Party of the name of each person or entity to whom any Confidential Information has been disclosed as soon as practicable after such disclosure; each Party shall ensure that any person or entity to which it discloses Confidential Information shall observe and perform all of the covenants the Party has accepted in this Agreement as if such person or entity has signed this Agreement. The Party disclosing the Confidential Information shall be responsible for any breach of the provisions of this Agreement by such person or entity; and each Party may by written notice to the other Party specify which of the Party’s employees, officers or agents are required to sign a non-disclosure undertaking. The duties and obligations with regard to Confidential Information in this clause 0 shall not apply where: a Party can demonstrate that such information is already in the public domain or becomes available to the public through no breach of this Agreement by that Party, or its Staff; or was rightfully in a Party’s possession prior to receipt from the other Party, as proven by the first- mentioned Party’s written records, without an infringement of an obligation or duty of confidentiality; or can be proved to have been rightfully received by a Party from a third party without a breach of a duty or obligation of confidentiality; or is independently developed by a Party as proven by its written records. This clause 0 shall survive termination for any reason of this Agreement and shall remain in force and effect from the Commencement Date of this Agreement and 5 [five] years after the termination of this Agreement. Upon termination of this Agreement, all documentation furnished to the Supplier/Service Provider by Transnet pursuant to this Agreement shall be returned to Transnet including, without limitation, all corporate identity equipment including dyes, blocks, labels, advertising matter, printing matter and the like.
Appears in 1 contract
Samples: Master Agreement
Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for 27.5.1 Where any Personal Data are Processed in connection with the duration exercise of the Agreement for the fulfilment of the Parties’ rights and obligations contained herein. In performing the obligations as set out in under this AgreementContract, the Parties shall acknowledge that the Authority is the Data Controller and that the Supplier is the Data Processor.
27.5.2 The Supplier shall:
(a) Process the Personal Data only in accordance with instructions from the Authority to perform its obligations under this Contract;
(b) ensure that at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures has in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and or accidental loss, destruction destruction, or damagedamage to the Personal Data, alteration, disclosure or access.including the measures as are set out in Clauses (Security Requirements) and
25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to (c) not disclose or otherwise make available transfer the personal data Personal Data to any third party (including sub-contractors and employees)or Supplier Personnel unless necessary for the provision of the Services and, it may do so only with for any disclosure or transfer of Personal Data to any third party, obtain the prior written permission consent of the Authority (save where such disclosure or transfer is specifically authorised under this Contract)
(d) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel:
(i) are aware of and comply with the Supplier’s duties under this Clause 27.5.2 and Clauses 27.1 (Security Requirements), and 27.2 (Confidentiality);
(ii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority or as otherwise permitted by this Contract; and
(iii) have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA);
(e) notify the Authority in writing within five (5) Working Days if it receives:
(i) from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other Party. The Party requiring request, complaint or communication relating to the Authority's obligations under the DPA;
(ii) any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or
(iii) a request from any third party for disclosure of Personal Data where compliance with such permission shall require request is required or purported to be required by Law;
(f) provide the Authority with full cooperation and assistance (within the timescales reasonably required by the Authority) in relation to any complaint, communication or request made (as referred to at Clause a)27.5.2(e), including by promptly providing:
(i) the Authority with full details and copies of the complaint, communication or request;
(ii) where applicable, such assistance as is reasonably requested by the Authority to enable the Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and
(iii) the Authority, on request by the Authority, with any Personal Data it holds in relation to a Data Subject; and
(g) if requested by the Authority, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 27.5.2 and provide to the Authority copies of all documentation relevant to such third partiescompliance including, appropriate written undertakings protocols, procedures, guidance, training and manuals.
27.5.3 The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be providedadequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, containing similar terms after the Commencement Date, the Supplier or any Sub- Contractor wishes to that Process and or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply:
(a) the Supplier shall propose a Variation to the Authority which, if it is agreed by the Authority, shall be dealt with in accordance with the Variation Procedure and Clauses a)27.5.3(b) to a)27.5.3(d);
(b) the Supplier shall set forth out in this clause 25, its proposal to the Authority for a Variation details of the following:
(i) the Personal Data which will be transferred to and dealing with that or Processed in or to any Restricted Countries;
(ii) the Restricted Countries to which the Personal Data will be transferred and or Processed; and
(iii) any Sub-Contractors or other third party's obligations parties who will be Processing and or receiving Personal Data in Restricted Countries;
(c) how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of its processing of the personal data. Following approval by Personal Data that will be Processed in and or transferred to Restricted Countries so as to ensure the other PartyAuthority’s compliance with the DPA;
(d) in providing and evaluating the Variation, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that they have regard to and comply with then-current Authority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirementapprovals processes in connection with, the Parties Processing in and or transfers of Personal Data to any Restricted Countries; and
(e) the Supplier shall keep all personal data comply with such other instructions and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal such other actions as the Authority may notify in writing, including:
(i) incorporating standard and external risks to or model clauses (which are approved by the personal European Commission as offering adequate safeguards under the DPA) into this Contract or a separate data in its possession processing agreement between the Parties; and
(ii) procuring that any Sub-Contractor or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information third party who will be destroyed Processing and or receiving or accessing the Personal Data in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.Restricted Countries either enters into:
Appears in 1 contract
Samples: Price Benchmarking Services Contract
Protection of Personal Data. 25.1 18.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 18.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 18.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2517, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 17 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 18.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 18.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 18.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisationorganization.
Appears in 1 contract
Samples: Master Agreement
Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for Where any Personal Data are Processed in connection with the duration exercise of the Agreement for the fulfilment of the Parties’ rights and obligations contained herein. In performing the obligations as set out in under this AgreementCall Off Contract, the Parties shall acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures has in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and/or accidental loss, destruction destruction, or damagedamage to the Personal Data, alteration, disclosure or access.
25.2 The Parties agree that if personal data will be processed for additional purposes beyond including the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to measures as are set out in Clauses 34.1 (Security Requirements) and 34.2 (Protection of Customer Data); not disclose or otherwise make available transfer the personal data Personal Data to any third party (including sub-contractors and employees)or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, it may do so only with for any disclosure or transfer of Personal Data to any third party, obtain the prior written permission consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under Clause 34.6.2 and Clauses 34.1 (Security Requirements), 34.2 (Protection of Customer Data) and 34.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other Partyrequest, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 34.6.2(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to Clause 34.6.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Party requiring such permission Supplier shall require of all such third parties, appropriate written undertakings not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be providedadequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, containing similar terms after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to that Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 34.6.3(b) to 34.6.3(c); the Supplier shall set forth out in this clause 25, its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and dealing with that any Sub-Contractors or other third party's obligations parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of its processing of the personal data. Following approval by Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the other PartyCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirementapprovals processes in connection with, the Parties Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall keep all personal data comply with such other instructions and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to identify all reasonably foreseeable internal those agreed between the Customer and external risks the Sub-Contractor relating to the personal data relevant Personal Data transfer, and in its possession or each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under its controlthe DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Parties Supplier shall implement and maintain appropriate safeguards against use its reasonable endeavours to assist the risks which it identifies Customer to comply with any obligations under the DPA and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to not perform its obligations under this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Call Off Contract in such a manner way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that it cannot the same would be reconstructed to its original form, linking it to any particular individual or organisationa breach of such obligations.
Appears in 1 contract
Samples: Call Off Order Form and Call Off Terms for Goods and/or Services (Non Ict)
Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties 11.1 Each Party shall comply at all times with all applicable laws in respect of the protection and privacy of Personal Data including without limitation to the Data Protection Xxx 0000 (“the DP Act”) and shall not perform its obligations under this Contract in such a way as to cause the other Party to breach any of its obligations under the DP Act.
11.2 Each Party when acting in the capacity of a Data Controller will ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed is legally entitled to its original form;
c) data is provided only to authorised personnel who strictly require transfer the personal data to carry out the Parties’ respective obligations Data Processor for the duration and purposes of the Contract.
11.3 Each party when acting in the capacity of a Data Processor shall, in relation to any Personal Data which it is Processing in connection with the performance of its obligation under this AgreementContract:
11.3.1 process that Personal Data only on the written instructions of the Data Controller, unless required by applicable laws to Process Personal Data; in such circumstances the Data Processor shall, if legally allowed to do so, promptly notify the Data Controller of this before performing the Processing;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures 11.3.2 ensure that it has in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place measures, to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected protect against unauthorised or unlawful processingprocessing of Personal Data against accidental loss or destruction of, accidental lossor damage to, destruction or damage, alteration, disclosure or access.Personal Data. Such measures shall be appropriate to a) the harm that might result from any breach of such protection; and b) the state of technological development and the cost of implementing any measures;
25.2 The Parties agree 11.3.3 ensure that if all Staff who have access to and/or process personal data will be processed for additional purposes beyond are obliged to keep the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.Personal Data confidential;
25.3 Should it be necessary for either Party to disclose or otherwise make available 11.3.4 not subcontract the personal data to any third party (including sub-contractors and employees), it may do so only with the Personal Data without prior written permission of the Data Controller;
11.3.5 not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Data Controller has been obtained;
11.3.6 notify the other Party. The Party requiring such permission shall require without undue delay on becoming aware of all such third parties, appropriate any breach of the DP Act;
11.3.7 on written undertakings request and/or on termination of the Contract (at the written direction of the Data Controller) delete or return Personal Data and copies thereof to be provided, containing similar terms the Data Controller unless required by applicable laws to that set forth in store the Personal Data; and
11.3.8 maintain complete and accurate records and information to demonstrate its compliance with this clause 25, 11 and dealing with that third party's obligations in respect of its processing of the personal data. Following approval allow for audits by the other Data Controller or its designated auditor.
11.4 At the reasonable request of a Party, the other Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to assist the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to complying with its original form, linking it to any particular individual obligations as Data controller or organisationData Processor.
Appears in 1 contract
Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised Unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processingfurtherprocessing.
25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2524, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 24 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual ororganisation.
25.7 Personal Information security breach: Service Provider’s Obligations
a) The Supplier/Service Provider shall notify the Information Officer of Transnet, in writing as soon as possible after it becomes aware of or organisationsuspects any loss, unauthorised access or unlawful use of any personal data and shall, at its own cost, take all necessary remedial steps to mitigate the extent of the loss or compromise of personal data and to restore the integrity of the affected Services as quickly as is possible. The Service Provider shall also be required to provide Transnet with details of the persons affected by the compromise and the nature and extent of the compromise, including details of the identity of the unauthorised person who may have accessed or acquired the personal data.
b) The Service Provider shall provide on-going updates on its progress in resolving the compromise at reasonable intervals until such time as the compromise is resolved.
c) Where required, the Service Provider may be required to notify the South African Police Service; and/or the State Security Agency and where applicable, the relevant regulator and/or the affected persons of the security breach. Any such notification shall always include sufficient information to allow the persons to take protective measures against the potential consequences of the compromise.
d) The Service Provider undertakes to co‑operate in any investigation relating to security which is carried out by or on behalf of Transnet including providing any information or material in its possession or control and implementing new security measures.
Appears in 1 contract
Samples: Master Agreement
Protection of Personal Data. 25.1 19.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 19.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 19.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 251818, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 18 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 19.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 19.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 19.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 1 contract
Samples: Master Agreement
Protection of Personal Data. 25.1 20.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 20.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 20.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 252018.1, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 20 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 20.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 20.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 20.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 1 contract
Samples: Framework Agreement
Protection of Personal Data. 25.1 26.1 Each of the Parties shall in the provision or use of the Services (as appropriate) comply with all Data Protection Legislation.
26.2 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) 26.2.1 they process data only for the express purpose for which it was obtained;
b) 26.2.2 once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) 26.2.3 data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) 26.2.4 they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) 26.2.5 they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) 26.2.6 they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) 26.2.7 such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 26.3 Without prejudice to any other term in this Agreement, the Parties represent, undertake and warrant that to the extent that it is applicable:
26.3.1 where it acts as the Responsible Party, it shall have met the requirements of either Chapter 6 or Chapter 7 of POPIA, as applicable;
26.3.2 it shall comply with all of the conditions for the lawful Processing of Personal Information as is applicable to a Responsible Party regulated by POPIA; and
26.3.3 where it is involved in the further Processing of Personal Information, it has complied with the provisions of Section 15 of POPIA including, where applicable, the requirement to have obtained the Data Subject's Consent to such further processing in the manner and form prescribed under POPIA.
26.4 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 26.5 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2526, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 26 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 26.6 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 26.7 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 26.8 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
26.9 The Supplier/Service Provider shall notify the Information Officer of Transnet, in writing as soon as possible after it becomes aware of or suspects any loss, unauthorised access or unlawful use of any personal data and shall, at its own cost, take all necessary remedial steps to mitigate the extent of the loss or compromise of personal data and to restore the integrity of the affected Goods/Services as quickly as is possible. The Supplier/Service Provider shall also be required to provide Transnet with details of the persons affected by the compromise and the nature and extent of the compromise, including details of the identity of the unauthorised person who may have accessed or acquired the personal data.
26.10 The Supplier/Service Provider shall provide on-going updates on its progress in resolving the compromise at reasonable intervals until such time as the compromise is resolved.
26.11 Where required, the Supplier/Service Provider may be required to notify the South African Police Service; and/or the State Security Agency and where applicable, the relevant regulator and/or the affected persons of the security breach. Any such notification shall always include sufficient information to allow the persons to take protective measures against the potential consequences of the compromise.
26.12 The Supplier/Service Provider undertakes to co‑operate in any investigation relating to security which is carried out by or on behalf of Transnet including providing any information or material in its possession or control and implementing new security measures.
Appears in 1 contract
Samples: Master Agreement
Protection of Personal Data. 25.1 21.1 OPAP S.A. implements a Personal Data Protection Policy, in accordance with the General Data Protection Regulation [Regulation (EU) 2016/679] and L. 4624/2019 (Α΄ 137), which Policy is posted on the Website.
21.2 The Parties agree legal basis for the processing of the Player’s personal data, and detailed information regarding the purposes, the duration of processing and the rights of the Player concerning the processing of his/her personal data are included in the Personal Data Protection Policy.
21.3 By accepting the Personal Data Protection Policy, the subject of the data shall be informed on their processing, in accordance with the terms therein.
21.4 OPAP S.A. observes the General Data Protection Regulation and L. 4624/2019 (Α' 137), takes all appropriate preventive technical and organization measures so that is restrict the risk of illegal data processing and of Players’ identification through technical or other means that can reasonably be used by third parties, safeguarding that itself, anyone executing the processing, as well as those having an employment, project or order relationship with it do not share the identity of the persons they know that Participate in the Games or who have acquired any winnings or have lost any amount by such Participation thereof, and that they may obtain do not share, for any reason, their personal details and data without the prior written consent of the Player, unless such consent is not required when the data are made available in the context of obligations borne by the Holder and those having an employment, project or order relationship with it, per the law, as well as when such data are necessary to raise or refute claims in the framework of litigations and for the defense of the legitimate interest of the Holder or of third parties , provided that it prevails over the Player’s rights.
21.5 When consent is required, the Player, as the data subject, shall have the right to revoke it at any time; however, the revocation of the consent shall not affect the lawfulness of the processing based on the consent prior to its revocation.
21.6 The Player, as the data subject, shall be informed on any amendment or expansion of the purposes of processing and of the categories of the data to be processed, in order to provide a new consent, otherwise the Agreement shall be dissolved ex officio.
21.7 The Player, as the data subject, is obliged to immediately inform OPAP S.A. in case the data recorded during his/her registration on the Website have changed, either by himself/herself proceeding to the updating of the details of his/her Online Account, or via communication with OPAP S.A., by observing the provisions of the AML Regulation.
21.8 The HGC, as well as any other competent public body or authority shall have access to personal the data and shall be allowed to process them when such processing is necessary for the duration fulfillment of an obligation executed in favor of the Agreement for public interest or during the fulfilment exercise of the rights public power having been assigned to them.
21.9 The Player, as the data subject, shall accept and obligations contained herein. In performing declare that he/she was informed on the obligations as set out in this AgreementPersonal Data Protection Policy of OPAP S.A., otherwise the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it canAgreement may not be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or accessconcluded.
25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 1 contract
Samples: Accession Agreement
Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;out
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual ororganisation.
25.7 Personal Information security breach: Supplier/Service Provider’s Obligations
a) The Supplier/Service Provider shall notify the Information Officer of Transnet, in writing as soon as possible after it becomes aware of or organisationsuspects any loss, unauthorised access or unlawful use of any personal data and shall, at its own cost, take all necessary remedial steps to mitigate the extent of the loss or compromise of personal data and to restore the integrity of the affected Goods/Services as quickly as is possible. The Supplier/Service Provider shall also be required to provide Transnet with details of the persons affected by the compromise and the nature and extent of the compromise, including details of the identity of the unauthorised person who may have accessed or acquired the personal data.
b) The Supplier/Service Provider shall provide on-going updates on its progress in resolving the
c) Where required, the Supplier/Service Provider may be required to notify the South African Police Service; and/or the State Security Agency and where applicable, the relevant regulator and/or the affected persons of the security breach. Any such notification shall always include sufficient information to allow the persons to take protective measures against the potential consequences of the compromise.
d) The Supplier/Service Provider undertakes to co‑operate in any investigation relating to security which is carried out by or on behalf of Transnet including providing any information or material in its possession or control and implementing new security measures.
Appears in 1 contract
Samples: Master Agreement
Protection of Personal Data. 25.1 32.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 32.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 32.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2532, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 32 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 32.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 32.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has have been effectively implemented.
25.6 32.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisationorganization.
Appears in 1 contract
Samples: Master Agreement
Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for Where any Personal Data are Processed in connection with the duration exercise of the Agreement for the fulfilment of the Parties’ rights and obligations contained herein. In performing the obligations as set out in under this AgreementCall Off Contract, the Parties shall acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures has in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and/or accidental loss, destruction destruction, or damagedamage to the Personal Data, alteration, disclosure or access.
25.2 The Parties agree that if personal data will be processed for additional purposes beyond including the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to measures as are set out in Clauses 36.1 (Security Requirements) and 36.2 (Protection of Customer Data); not disclose or otherwise make available transfer the personal data Personal Data to any third party (including sub-contractors and employees)or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, it may do so only with for any disclosure or transfer of Personal Data to any third party, obtain the prior written permission consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under Clause 36.5.2 and Clauses 36.1 (Security Requirements), 36.2 (Protection of Customer Data) and 36.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other Partyrequest, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 36.5.2(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to Clause 36.5.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Party requiring such permission Supplier shall require not Process or otherwise transfer any Personal Data in or to a Restricted Country. If, after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 36.5.3(b) to 36.5.3(c); the Supplier shall set out in its proposal to the Customer for a Variation details of all such the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties, appropriate written undertakings to parties who will be provided, containing similar terms to that set forth Processing and/or receiving Personal Data in this clause 25, Restricted Countries; how the Supplier will ensure an adequate level of protection and dealing with that third party's obligations adequate safeguards in respect of its processing of the personal data. Following approval by Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the other PartyCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirementapprovals processes in connection with, the Parties Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall keep all personal data comply with such other instructions and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to identify all reasonably foreseeable internal those agreed between the Customer and external risks the Sub-Contractor relating to the personal data relevant Personal Data transfer, and in its possession or each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under its controlthe DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Parties Supplier shall implement and maintain appropriate safeguards against use its reasonable endeavours to assist the risks which it identifies Customer to comply with any obligations under the DPA and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to not perform its obligations under this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Call Off Contract in such a manner way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that it cannot the same would be reconstructed to its original form, linking it to any particular individual or organisationa breach of such obligations.
Appears in 1 contract
Samples: Call Off Contract
Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for Where any Personal Data are Processed in connection with the duration exercise of the Agreement for the fulfilment of the Parties’ rights and obligations contained herein. In performing the obligations as set out in under this AgreementCall-Off Contract, the Parties shall acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call-Off Contract; ensure that at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures has in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and/or accidental loss, destruction destruction, or damagedamage to the Personal Data, alteration, disclosure or access.
25.2 The Parties agree that if personal data will be processed for additional purposes beyond including the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to measures as are set out in Clauses 31.1 (Security Requirements) and 31.2 (Protection of Customer Data); not disclose or otherwise make available transfer the personal data Personal Data to any third party (including sub-contractors and employees)or Supplier Personnel unless necessary for the provision of the Services and, it may do so only with for any disclosure or transfer of Personal Data to any third party, obtain the prior written permission consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call-Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 31.6.2 and Clauses 31.1 (Security Requirements),31.2 (Protection of Customer Data) and 31.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call-Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other Partyrequest, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 31.6.2(e) including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 31.6.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Party requiring such permission Supplier shall require of all such third parties, appropriate written undertakings not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be providedadequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, containing similar terms after the Call-Off Commencement Date, the Supplier or any Sub-Contractor wishes to that Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 31.6.3(b) to 31.6.3(c); the Supplier shall set forth out in this clause 25, its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and dealing with that any Sub-Contractors or other third party's obligations parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of its processing of the personal data. Following approval by Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the other PartyCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirementapprovals processes in connection with, the Parties Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall keep all personal data comply with such other instructions and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call-Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to identify all reasonably foreseeable internal those agreed between the Customer and external risks the Sub-Contractor relating to the personal data relevant Personal Data transfer, and in its possession or each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under its controlthe DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Parties Supplier shall implement and maintain appropriate safeguards against use its reasonable endeavours to assist the risks which it identifies Customer to comply with any obligations under the DPA and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to not perform its obligations under this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Call-Off Contract in such a manner way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that it cannot the same would be reconstructed to its original form, linking it to any particular individual or organisationa breach of such obligations.
Appears in 1 contract
Samples: Vehicle Hire Services Order Form
Protection of Personal Data. 25.1 The 35.1 Both Parties agree that they may obtain and have access to personal data for the duration as a result of the Agreement for the fulfilment of the rights and obligations contained hereinBid process. In performing the obligations as set out in this Agreement, the The Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreementin terms of the Bid process;
d) they do not disclose personal data of the other Party, other than as agreed in terms of this Agreementparagraph 37.3 below;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms as a result of this Agreementthe Bid process;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 35.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 35.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25paragraph 37, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 37 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 35.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 35.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 35.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreementthe Bid process, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 1 contract
Samples: Bid Agreement
Protection of Personal Data. 25.1 19.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 19.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 19.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2518, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 18 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 19.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 19.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 19.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 1 contract
Samples: Master Agreement
Protection of Personal Data. 25.1 The Parties agree
36.1 To the extent that:
36.1.1 the Contractor Processes any Personal Data pursuant to this Agreement which relates to DCC Data Subjects or Energy Industry Data Subjects, then the Contractor shall be a Data Processor and DCC shall be a Data Controller in relation to that they Personal Data; and/or
36.1.2 the Contractor Processes any Personal Data pursuant to this Agreement relating to Energy Consumer Data Subjects, it shall Process that Personal Data in the capacity of Sub-Processor, DCC shall be the Data Processor and the relevant DCC Service User shall be the Data Controller.
36.2 Subject to the other provisions of this Clause 36 and the terms of this Agreement, the types of Personal Data that may obtain be Processed in relation to Contractor Data Subjects, DCC Data Subjects and have access Energy Industry Data Subjects may include Basic Information and/or Industry Information; and the types of Personal Data that may be Processed in relation to personal data Energy Consumer Data Subjects may include Energy Supply Information.
36.3 In respect of the Contractor's Processing under this Agreement:
36.3.1 the subject-matter, nature and purpose of the Processing will be for the purposes of performing the Services and/or as required to assist in delivering the Objectives;
36.3.2 the duration of the Processing shall be the term of this Agreement for (or, in the fulfilment case of the rights and obligations contained herein. In performing the obligations specific Personal Data or categories of Personal Data, such shorter retention period as may be explicitly set out in this Agreement or as DCC may instruct in writing from time to time); and
36.3.3 the Parties will use the Change Control Procedure to agree any changes or additions to the subject matter, nature, purpose or type of Personal Data to be Processed under this Agreement.
36.4 Where designated as a Processor or Sub-Processor of DCC under this Agreement (as the case may be), the Parties shall Contractor shall:
36.4.1 Process the Personal Data only in accordance with documented instructions from the DCC and for the purposes of and in the manner permitted by this Agreement;
36.4.2 having regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of the relevant Data Subjects, ensure that at all times ensure thatit has in place appropriate technical and organisational measures to guard against accidental or unlawful loss, destruction, alteration or unauthorised disclosure of, or access to, the Personal Data transmitted, stored or otherwise processed, including the measures as are set out in Clause 35 (DCC Data), Clause 42 (Security Requirements) and the Security Management Plan;
36.4.3 taking into account the nature of the processing and the information available to the Contractor, assist the DCC in ensuring compliance with DCC’s obligations in Articles 32-36 of the General Data Protection Regulation (or its national equivalent) including:
(a) they process data only notifying DCC without undue delay if the Contractor becomes aware of a breach of the Data Protection Laws in relation to the Personal Data (including in the event of unauthorised access to such Personal Data); and
(b) providing full details of the relevant breach where caused by the Contractor or any Sub-Contractor without undue delay, or, where necessary, in phases but always without further undue delay;
36.4.4 not disclose or transfer the Personal Data to any third party or Contractor Personnel, or allow a third party or Contractor Personnel access to the Personal Data, unless necessary for the express purpose provision of the Services and:
(a) for which it was obtainedany disclosure or transfer of Personal Data to any third party, with the prior written consent of the DCC;
(b) once processed for where the purposes for Contractor wishes to appoint a sub-Processor, in compliance with Clause 28 (Supply Chain Rights) and any applicable conditions under such Clause 28 (Supply Chain Rights), provided any sub-Processor is subject to contractual terms which it was obtained, all data will be destroyed are identical to an extent that it cannot be reconstructed to its original formthose set out in this Clause 36;
36.4.5 take all reasonable steps to ensure the reliability and integrity of any Contractor Personnel who have access to the Personal Data and ensure that the Contractor Personnel:
(a) are aware of and comply with the Contractor’s duties under this Clause 36.4 and Clauses 37 (Confidentiality), 35 (DCC Data) and 42 (Security Requirements);
(b) are subject to appropriate confidentiality undertakings with the Contractor or the relevant Sub-contractor;
(c) data is provided only are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to authorised personnel who strictly require any third party unless directed in writing to do so by the DCC or as otherwise permitted by this Agreement; and
(d) have undergone adequate training in the use, care, protection and handling of personal data (as defined in the Data Protection Laws);
36.4.6 notify the DCC without undue delay (and wherever possible, in advance) if it:
(a) receives from a Data Subject (or third party on their behalf):
(i) a Data Subject Access Request (or purported Data Subject Access Request);
(ii) a request to carry out rectify, block or erase any Personal Data; or
(iii) any other request, complaint or communication relating to either Party's obligations under the Parties’ respective obligations Data Protection Laws;
(b) Processes Personal Data otherwise than in accordance with this Agreement or Data Protection Laws;
(c) considers that any of the instructions from the DCC or a Data Controller infringe or are likely to infringe the Data Protection Laws, giving full details of the actual or potential infringement;
(d) receives any Regulator Correspondence or any other communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data Processed under this Agreement;
(e) receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
(f) is required by Law to commit an act or omission that would, but for Clause 36.4, constitute a breach of this Clause 36;
36.4.7 provide the DCC with full co-operation and assistance (within the timescales reasonably required by the DCC) in relation to either Party's obligations under the Data Protection Laws or any complaint, communication or request made as referred to in Clause 36.4.7, including by promptly providing:
(a) the DCC with full details and copies of the complaint, communication or request;
(b) where applicable, such assistance as is reasonably requested by the DCC to enable the DCC to comply with the Data Subject Access Request within the relevant timescales set out in the Data Protection Laws;
(c) where applicable, such assistance as is reasonably requested by the DCC to enable the DCC to comply with any enquiry made or investigation or assessment initiated by the Information Commissioner and/or a Regulatory Body; and
(d) they do not disclose personal data the DCC, on request by the DCC, with any Personal Data it holds in relation to a Data Subject;
36.4.8 assistance following a security breach or incident involving Personal Data as reasonably required by the DCC including with respect to the DCC's consultation with the Information Commissioner's Office;
36.4.9 insofar as it relates to its Processing under this Agreement, maintain accurate and any other information or documentation necessary to demonstrate that it has and is complying with its obligations under this Clause 36 and the Data Protection Laws and make such records, information and documentation available to DCC or, at DCC’s request, a Data Controller, promptly upon request; and
36.4.10 if requested by the DCC, provide a written description of the other Party, other than in terms of this Agreement;
e) they have all reasonable measures that it has taken and technical and organisational security measures in place place, for the purpose of compliance with its obligations pursuant to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or accessClause 36.
25.2 36.5 The Parties agree Contractor shall not Process or otherwise transfer any Personal Data in or to any Restricted Country without the DCC's prior written consent. If, after the Commencement Date, the Contractor or any Sub- contractor wishes to Process and/or transfer any Personal Data in or to any Restricted Country, the Contractor shall, in seeking consent, submit such information as the DCC shall reasonably require in order to enable it to consider the request and acknowledges that if personal data will such consent may be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be given subject to further processingconditions which will, if appropriate, be incorporated into this Agreement at the Contractor's cost and expense using the Change Control Procedure.
25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party 36.6 The Contractor shall (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that its Sub-contractor shall) use all reasonable endeavours to assist the DCC to comply with any persons authorized to process data on their behalf (including employees and third parties) will safeguard obligations under the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies Data Protection Laws and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to not perform its obligations under this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Agreement in such a manner way as to cause the DCC to breach any of the DCC’s obligations under the Data Protection Laws to the extent the Contractor is aware, or ought reasonably to have been aware, that it cannot the same would be reconstructed a breach of such obligations.
36.7 The Contractor shall permit the DCC to audit its original form, linking it to any particular individual or organisationcompliance with this Clause 36 in accordance with Schedule 8.4 (Records and Audit Provisions).
Appears in 1 contract
Protection of Personal Data. 25.1 22.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment fulfillment of the rights and obligations contained herein. In performing the obligations as set out in this the Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this the Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this the Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this the Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 22.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 22.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, 22 and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 22 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 22.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 1 contract
Samples: Master Agreement
Protection of Personal Data. 25.1 18.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 18.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 18.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2517.117.1, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 17.1 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 18.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 18.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 18.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.their
Appears in 1 contract
Samples: Master Agreement
Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access 23.1 With respect to personal data for the duration of the Agreement for the fulfilment of the Parties' rights and obligations contained herein. In performing the obligations as set out in under this Agreement, the Parties shall acknowledge that the Authority is a Data Controller and that the Supplier is a Data Processor.
23.2 The Supplier shall:
(a) on or before the Service Commencement Date, agree and enter into a Data Sharing Agreement substantially in the form as set out in Schedule 11 and at all times ensure that:
a) they process data only for the express purpose for which it was obtainedact in compliance with this Data Sharing Agreement;
(b) once processed for Process the purposes for which it was obtained, all data will be destroyed Personal Data only in accordance with instructions from the Authority to an extent that it cannot be reconstructed to perform its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d(c) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have ensure that at all reasonable technical and organisational measures times it has in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and/or accidental loss, destruction or damagedamage to the Personal Data, alteration, disclosure or access.including the measures as are set out in Clause 20 (Authority Data and Security Requirements);
25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to (d) not disclose or otherwise make available transfer the personal data Personal Data to any third party (including sub-contractors and employees)or Supplier Personnel unless necessary for the provision of the Services and/or the Traded Contracts and, it may do so only with for any disclosure or transfer of Personal Data to any third party, obtain the prior written permission consent of the Authority (save where such disclosure or transfer is specifically authorised under this Agreement);
(e) take all reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel:
(i) are aware of and comply with the Supplier’s duties under this Clause 23 and Clauses 21 (Confidentiality) and 20 (Authority Data and Security Requirements);
(ii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority or as otherwise permitted by this Agreement; and
(iii) have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA);
(f) notify the Authority within two (2) Working Days if it receives:
(i) from a Data Subject (or third party on their behalf):
(A) a Data Subject Access Request (or purported Data Subject Access Request);
(B) a request to rectify, block or erase any Personal Data; or
(C) any other Party. The Party requiring request, complaint or communication relating to the Authority's obligations under the DPA;
(ii) any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or
(iii) a request from any third party for disclosure of Personal Data where compliance with such permission shall require of all such third parties, appropriate written undertakings request is required or purported to be provided, containing similar terms to that set forth in this clause 25, required by Law;
(g) provide the Authority with full cooperation and dealing with that third party's obligations in respect of its processing of assistance (within the personal data. Following approval timescales reasonably required by the other Party, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third partiesAuthority) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreementany complaint, subject communication or request made as referred to any legal retention requirements. This may be at in Clause 23.2(e), including by promptly providing:
(i) the request Authority with full details and copies of the other Party and includes circumstances complaint, communication or request;
(ii) where applicable, such assistance as is reasonably requested by the Authority to enable the Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and
(iii) the Authority, on request by the Authority, with any Personal Data it holds in relation to a person has Data Subject; and
(h) if requested by the Parties to delete all instances Authority, provide a written description of their personal data. The information will be destroyed in such a manner the measures that it cannot be reconstructed has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to its original formthis Clause 23 and provide to the Authority copies of all documentation relevant to such compliance including, linking it to any particular individual or organisationprotocols, procedures, guidance, training and manuals.
Appears in 1 contract
Protection of Personal Data. 25.1 17.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 17.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 17.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2517.1, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 17 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 17.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 17.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 17.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 1 contract
Samples: Master Agreement
Protection of Personal Data. 25.1 22.1 The Parties Provider shall comply with all the requirements of the Data Protection Xxx 0000 (“DPA) and ensure compliance where personal information is involved or disclosed to the Provider.
22.2 The parties agree that they may obtain the Provider acts as a Data Processor and have the Council act as Data Controller in relation to the processing of Personal Data under the Contract and the Provider undertakes as follows:-
22.2.1 at all times to comply with the DPA and maintain a valid and up to date licence and registration or notification under the DPA covering all data processing activities to be performed;
22.2.2 only to use the Personal Data which it holds in connection with the provision of the Service in accordance with the written instructions of the Data Controller and in accordance with the Contract Documents and shall not use it for any other purpose;
22.2.3 not to disclose Personal Data to any third parties other than (i) to the extent required by a court order, or (ii) employees and sub-contractors to whom such disclosure is reasonably necessary in order for the Provider to carry out the Service provided that such disclosure is made subject to written terms substantially the same as the terms contained in Clause 22 and provided that such disclosure has been approved in advance by the Data Controller;
22.2.4 to ensure by written contract that any agent or subcontractor employed by the Provider to process data to which the Contract Documents relate also provides the Contractor with a plan of the technical and organisational means it has adopted to prevent unauthorised or unlawful processing or accidental loss or destruction of the Personal Data and confirms to the Provider the implementation of those means;
22.2.5 to use its best endeavours to safeguard the Personal Data from unauthorised or unlawful processing or accidental loss, destruction or damage and to put in effect and maintain appropriate technical and organisational measures to prevent unauthorised or unlawful processing of Personal Data and accidental loss or destruction of, or damage to, Personal Data including taking reasonable steps to ensure the reliability of staff having access to personal data for the duration Personal Data;
22.2.6 put in place and maintain appropriate security programmes and procedures which are necessary and appropriate in all the circumstances including those which specifically address the nature of Sensitive Data collected and held by the Provider in the provision of the Agreement Service;
22.2.7 if at any time the Provider suspects or has reason to believe that any Council data has or may become corrupted, lost or sufficiently degraded in any way for any reason, then it shall notify the fulfilment Council immediately and inform the Council of the rights remedial action it proposes to take.
22.2.8 procure that it shall only undertake processing of Personal Data reasonably required and obligations / or necessary in connection with this Contract and shall not transfer any Personal Data to any country or territory outside the European Economic Area without the prior written consent of the Data Controller;
22.2.9 promptly provide the Data Controller with all necessary Personal Data which is in the possession of or under the control of the Provider including a situation where the Data Controller is served with a subject access request under the DPA and the Data Controller informs the Provider in writing that this is the case.
22.3 In addition to the obligation at Clause 22.2 if the Provider should at any time receive a request for information (a subject access request) from any person in respect of whom it holds Personal Data, as a result of the provision of the Service, it shall immediately inform the Council of such request and the Parties shall take all actions necessary in order to ensure that the requirements of the DPA with regard to dual request are fulfilled including complying with applicable time limits.
22.4 The Provider will allow its data processing facilities, operations, procedures and documentation to be submitted for scrutiny by the Council or their auditors in order to ascertain compliance with the DPA and the terms of this Contract.
22.5 The Provider shall be liable for and shall promptly indemnify (and keep indemnified) the Council against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees) and demands incurred by the Council which arise directly or in connection with the Provider’s data processing activities under this Contract, including without limitation those arising out of any third party demand, claim or action, or any breach of contract, negligence, fraud, wilful misconduct, breach of statutory duty or non-compliance with any part of the Data Protection requirements by the Provider or its employees, servants, agents or sub-contractors (if applicable).
22.6 The Provider acknowledges that Personal Data shall vest in and is the property of the Council and hereby reserves all Intellectual Property Rights which may subsist in the Personal Data. The Provider shall not delete or remove any copyright notices contained herein. In performing the obligations within or relating to Personal Data.
22.7 Save as set out in this AgreementClause 22, any unauthorised processing, use or disclosure of Personal Data by the Parties Provider is strictly prohibited.
22.8 The Provider shall comply at all times ensure that:
a) they process data only for with the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it canData Protection requirements and shall not be reconstructed to perform its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Contract in such a manner that it cannot be reconstructed way as to cause the Council to breach any of its original form, linking it to any particular individual or organisationapplicable obligations under the Data Protection requirements.
Appears in 1 contract
Samples: Articles of Agreement
Protection of Personal Data. 25.1 17.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 17.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 17.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, 18 and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 17 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 17.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 17.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 17.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 1 contract
Samples: Master Agreement
Protection of Personal Data. 25.1 16.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 16.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 16.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 251615.1, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 16 shall mutatis mutandis apply to all authorised authorized third parties who process personal data.
25.4 16.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 16.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 16.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 1 contract
Samples: Master Agreement
Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 26 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 1 contract
Samples: Master Agreement
Protection of Personal Data. 25.1 35.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 35.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 35.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2535, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 35 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 35.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 35.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has have been effectively implemented.
25.6 35.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisationorganization.
Appears in 1 contract
Samples: Master Agreement
Protection of Personal Data. 25.1
31.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 31.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 31.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2531, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 31 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 31.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 31.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 31.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 1 contract
Samples: Master Agreement
Protection of Personal Data. 25.1 24.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 24.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 24.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2529, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 29 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 24.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 24.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 24.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual ororganisation.
24.7 Personal Information security breach: Supplier/Service Provider’s Obligations
a) The Supplier/Service Provider shall notify the Information Officer of Transnet, in writing as soon as possible after it becomes aware of or organisationsuspects any loss, unauthorised access or unlawful use of any personal data and shall, at its own cost, take all necessary remedial steps to mitigate the extent of the loss or compromise of personal data and to restore the integrity of the affected Goods/Services as quickly as is possible. The Supplier/Service Provider shall also be required to provide Transnet with details of the persons affected by the compromise and the nature and extent of the compromise, including details of the identity of the unauthorised person who may have accessed or acquired the personal data.
b) The Supplier/Service Provider shall provide on-going updates on its progress in resolving the compromise at reasonable intervals until such time as the compromise is resolved.
c) Where required, the Supplier/Service Provider may be required to notify the South African Police Service; and/or the State Security Agency and where applicable, the relevant regulator sufficient information to allow the persons to take protective measures against the potential consequences of the compromise.
d) The Supplier/Service Provider undertakes to co‑operate in any investigation relating to security which is carried out by or on behalf of Transnet including providing any information or material in its possession or control and implementing new security measures.
Appears in 1 contract
Samples: Master Agreement
Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for Where any Personal Data are Processed in connection with the duration exercise of the Agreement for the fulfilment of the Parties’ rights and obligations contained herein. In performing the obligations as set out in under this AgreementCall Off Contract, the Parties shall acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures has in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and/or accidental loss, destruction destruction, or damagedamage to the Personal Data, alteration, disclosure or access.
25.2 The Parties agree that if personal data will be processed for additional purposes beyond including the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to measures as are set out in Clauses 34.1 (Security Requirements) and 34.2 (Protection of Customer Data); not disclose or otherwise make available transfer the personal data Personal Data to any third party (including sub-contractors or Supplier Personnel unless necessary for the provision of the Goods and employees)Services and, it may do so only with for any disclosure or transfer of Personal Data to any third party, obtain the prior written permission consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.6.2 and Clauses 34.1 (Security Requirements), 34.2 (Protection of Customer Data) and 34.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other Partyrequest, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 34.6.2(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 34.6.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Party requiring such permission Supplier shall require of all such third parties, appropriate written undertakings not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be providedadequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, containing similar terms after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to that Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 34.6.3(b) to 34.6.3(c); the Supplier shall set forth out in this clause 25, its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and dealing with that any Sub-Contractors or other third party's obligations parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of its processing of the personal data. Following approval by Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the other PartyCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirementapprovals processes in connection with, the Parties Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall keep all personal data comply with such other instructions and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to identify all reasonably foreseeable internal those agreed between the Customer and external risks the Sub-Contractor relating to the personal data relevant Personal Data transfer, and in its possession or each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under its controlthe DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Parties Supplier shall implement and maintain appropriate safeguards against use its reasonable endeavours to assist the risks which it identifies Customer to comply with any obligations under the DPA and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to not perform its obligations under this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Call Off Contract in such a manner way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that it cannot the same would be reconstructed to its original form, linking it to any particular individual or organisationa breach of such obligations.
Appears in 1 contract
Samples: Call Off Contract
Protection of Personal Data. 25.1 18.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 18.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 18.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 251717, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 17 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 18.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 18.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 18.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 1 contract
Samples: Master Agreement
Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processingfurtherprocessing.
25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2529, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 29 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 1 contract
Samples: Master Agreement
Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for Where any Personal Data are Processed in connection with the duration exercise of the Agreement for the fulfilment of the Parties’ rights and obligations contained herein. In performing the obligations as set out in under this AgreementCall Off Contract, the Parties shall acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures has in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and/or accidental loss, destruction destruction, or damagedamage to the Personal Data, alteration, disclosure or access.
25.2 The Parties agree that if personal data will be processed for additional purposes beyond including the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to measures as are set out in Clauses 45 (Security Requirements) and 45.1.5 (Protection of Customer Data); not disclose or otherwise make available transfer the personal data Personal Data to any third party (including sub-contractors and employees)or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, it may do so only with for any disclosure or transfer of Personal Data to any third party, obtain the prior written permission consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under Clause 45.1.32 and Clauses 45 (Security Requirements), 45.1.5 (Protection of Customer Data) and 45.1.13(c) (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other Partyrequest, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 45.1.32(h)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to Clause 45.1.32 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Party requiring such permission Supplier shall require of all such third parties, appropriate written undertakings not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be providedadequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, containing similar terms after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to that Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 45.1.33(b) to 45.1.33(g); the Supplier shall set forth out in this clause 25, its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and dealing with that any Sub-Contractors or other third party's obligations parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of its processing of the personal data. Following approval by Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the other PartyCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirementapprovals processes in connection with, the Parties Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall keep all personal data comply with such other instructions and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to identify all reasonably foreseeable internal those agreed between the Customer and external risks the Sub-Contractor relating to the personal data relevant Personal Data transfer, and in its possession or each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under its controlthe DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Parties Supplier shall implement and maintain appropriate safeguards against use its reasonable endeavours to assist the risks which it identifies Customer to comply with any obligations under the DPA and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to not perform its obligations under this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Call Off Contract in such a manner way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that it cannot the same would be reconstructed to its original form, linking it to any particular individual or organisationa breach of such obligations.
Appears in 1 contract
Samples: Call Off Contract
Protection of Personal Data. 25.1 With respect to the Parties' rights and obligations under this Call Off Contract, the Parties acknowledge that the Customer is a Data Controller and that the Supplier is a Data Processor. The Parties agree that they may obtain Supplier shall: prior to the processing of any Personal Data under this Call Off Contract and have access where requested by the Customer provide a Privacy Impact Assessment (“PIA”) to personal data for the duration Authority which will include (but not be limited to): a systematic description of the Agreement for envisaged processing operations and the fulfilment purpose of the processing; an assessment of the necessity and proportionality on the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data; Process the Personal Data only in accordance with instructions from the Customer to perform its obligations contained herein. In performing the obligations as set out in under this Agreement, the Parties shall Call Off Contract; ensure that at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures has in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and/or accidental loss, destruction destruction, or damagedamage to the Personal Data, alteration, disclosure or access.
25.2 The Parties agree that if personal data will be processed for additional purposes beyond including the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to measures as are set out in Clauses 34.1 (Security Requirements) and 34.2 (Protection of Customer Data); not disclose or otherwise make available transfer the personal data Personal Data to or allow the processing of Personal Data by any Sub-Contractor, Affiliate and third party without the prior written consent of the Customer; take all reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.5.2 and and 34.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (including sub-contractors as defined in the Data Protection Laws); notify the Customer within fourty eight (48) hours if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Customer's obligations under the Data Protection Laws ; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or considers that any instructions from the Customer infringe the Data Protection Laws; receives any Regulator Correspondence or any other any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Call Off Contract; or is required by Xxx to commit an act or omission that would constitute a breach of this Clause 34.5; provide the Customer with full cooperation and employeesassistance (within the timescales reasonably required by the Customer) in relation to either Party’s obligations uder the Data Protection Laws or any complaint, communication or request made (as referred to at Clause (f)), it may do so only including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the prior Data Subject Access Request within the relevant timescales set out in the Data Protection Laws; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and assistance following a Data Loss Event as required by the Customer including with respect to the conduct of a data protection impact assessment and the Customer's consultation with the Information Commissioner's Office; if requested by the Customer, provide a written permission description of the other Party. The Party requiring such permission shall require measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to Clause 34.5.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. keep a record of all categories of processing activities carried out on behalf of the Customer, containing; the categories of processing carried out on behalf of the Customer; where applicable, any transfers of Personal Data to Restricted Countries or an international organisation The Supplier shall not Process or otherwise transfer any Personal Data in or to a Restricted Country. If, after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall submit a Variation Form to the Customer which, if the Customer agrees to such Variation, shall be dealt with in accordance with the Variation Procedure; the Supplier shall set out in its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties, appropriate written undertakings to parties who will be provided, containing similar terms to that set forth Processing and/or receiving Personal Data in this clause 25, Restricted Countries; how the Supplier will ensure an adequate level of protection and dealing with that third party's obligations adequate safeguards in respect of its processing of the personal data. Following approval by Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the other PartyCustomer’s compliance with the Data Protection Laws; in providing and evaluating the Variation, and the Impact Assessment, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirementapprovals processes in connection with, the Parties Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall keep all personal data comply with such other instructions and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Laws) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to identify all reasonably foreseeable internal those agreed between the Customer and external risks the Sub-Contractor relating to the personal data relevant Personal Data transfer, and in its possession or each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under its controlthe Data Protection Laws ) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Parties Supplier shall implement and maintain appropriate safeguards against assist the risks which it identifies Customer to comply with any obligations under the Data Protection Laws and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to not perform its obligations under this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Call Off Contract in such a manner way as to cause the Customer to breach any of the Customer’s obligations under the Data Protection Laws to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. The Supplier shall (and shall procure that all Supplier Personnel) comply with any notification requirements under Data Protection Laws and both Parties will duly observe all their obligations under Data Protection Laws which arise in connection with the Call Off Contract. The Supplier will, in conjunction with the Customer, in its own right and in respect of the Services, make all necessary preparations to ensure it canwill be compliant with the provisions of the GDPR upon its implementation The Supplier will provide the Customer with the contact details of its data protection officer or other designated individual with responsibility for data protection and privacy to act as the point of contact for the purpose of observing its obligations under Clause 34.5. The Supplier will notify the Customer immediately, and in any event no later than 12 hours, after becoming aware of a Data Loss Event, in particular the Supplier will; when notifying the Customer of a Data Loss Event, describe the nature of the event including the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; cooperate fully with any Customer investigation into the Data Loss Event including but not limited to the causes and effects (actual or potential); provide immediate access to the Supplier’s premises and systems for the purposes of any Customer investigation under this Call Off Contract; take all necessary actions to remedy the causes of the Data Loss Event and to ensure the protection of Personal Data from any further loss; not make any public statement of any kind without the prior approval of the Customer; where appropriate, provide all assistance necessary to enable the Customer to fulfil its obligations to notify the Information Commissioner within 72 hours after becoming aware of the Data Loss Event. The Supplier shall indemnify the Customer on a continuing basis against any and all Losses incurred by the Customer arising from the Supplier’s Default under this Clause 34.5 and/or any failure by the Supplier or any Sub-Contractor to comply with their respective obligations under Data Protection Laws. Nothing in this Clause 34.5 shall be reconstructed construed as requiring the Supplier or any relevant Sub-Contractor to its original form, linking it to be in breach of any particular individual or organisationData Protection Laws.
Appears in 1 contract
Samples: Call Off Contract
Protection of Personal Data. 25.1 26.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;this
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 26.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 26.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2526, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 26 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 26.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 26.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 26.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual ororganisation.
26.7 Personal Information security breach: Supplier/Service Provider’s Obligations
a) The Supplier/Service Provider shall notify the Information Officer of Transnet, in writing as soon as possible after it becomes aware of or organisationsuspects any loss, unauthorised access or unlawful use of any personal data and shall, at its own cost, take all necessary remedial steps to mitigate the extent of the loss or compromise of personal data and to restore the integrity of the affected Goods/Services as quickly as is possible. The Supplier/Service Provider shall also be required to provide Transnet with details of the persons affected by the compromise and the nature and extent of the compromise, including details of the identity of the unauthorised person who may have accessed or acquired the personal data.
b) The Supplier/Service Provider shall provide on-going updates on its progress in resolving the compromise at reasonable intervals until such time as the compromise is resolved.
c) Where required, the Supplier/Service Provider may be required to notify the South African Police Service; and/or the State Security Agency and where applicable, the relevant regulator and/or the affected persons of the security breach. Any such notification shall always include sufficient information to allow the persons to take protective measures against the potential consequences of the compromise.
d) The Supplier/Service Provider undertakes to co‑operate in any investigation relating to security which is carried out by or on behalf of Transnet including providing any information or material in its possession or control and implementing new security measures.
Appears in 1 contract
Samples: Master Agreement
Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for Where any Personal Data are Processed in connection with the duration exercise of the Agreement for the fulfilment of the Parties’ rights and obligations contained herein. In performing the obligations as set out in under this AgreementCall Off Contract, the Parties shall acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures has in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and/or accidental loss, destruction destruction, or damagedamage to the Personal Data, alteration, disclosure or access.
25.2 The Parties agree that if personal data will be processed for additional purposes beyond including the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to measures as are set out in Clauses 46 (Security Requirements) and 46.1.5 (Protection of Customer Data); not disclose or otherwise make available transfer the personal data Personal Data to any third party (including sub-contractors and employees)or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, it may do so only with for any disclosure or transfer of Personal Data to any third party, obtain the prior written permission consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under Clause 47.1.11 and Clauses 46 (Security Requirements), 46.1.5 (Protection of Customer Data) and 46.1.13(c) (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other Partyrequest, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 47.1.11(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to Clause 47.1.11 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Party requiring such permission Supplier shall require not Process or otherwise transfer any Personal Data in or to a Restricted Country. If, after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 47.1.12(b) to 47.1.12(c); the Supplier shall set out in its proposal to the Customer for a Variation details of all such the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties, appropriate written undertakings to parties who will be provided, containing similar terms to that set forth Processing and/or receiving Personal Data in this clause 25, Restricted Countries; how the Supplier will ensure an adequate level of protection and dealing with that third party's obligations adequate safeguards in respect of its processing of the personal data. Following approval by Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the other PartyCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirementapprovals processes in connection with, the Parties Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall keep all personal data comply with such other instructions and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to identify all reasonably foreseeable internal those agreed between the Customer and external risks the Sub-Contractor relating to the personal data relevant Personal Data transfer, and in its possession or each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under its controlthe DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Parties Supplier shall implement and maintain appropriate safeguards against use its reasonable endeavours to assist the risks which it identifies Customer to comply with any obligations under the DPA and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to not perform its obligations under this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Call Off Contract in such a manner way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that it cannot the same would be reconstructed to its original form, linking it to any particular individual or organisationa breach of such obligations.
Appears in 1 contract
Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for Where any Personal Data are Processed in connection with the duration exercise of the Agreement for the fulfilment of the Parties’ rights and obligations contained herein. In performing the obligations as set out in under this AgreementCall Off Contract, the Parties shall acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures has in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and/or accidental loss, destruction destruction, or damagedamage to the Personal Data, alteration, disclosure or access.
25.2 The Parties agree that if personal data will be processed for additional purposes beyond including the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to measures as are set out in Clauses 35.1 (Security Requirements) and 35.2 (Protection of Customer Data); not disclose or otherwise make available transfer the personal data Personal Data to any third party (including sub-contractors and employees)or Supplier Personnel unless necessary for the provision of the Services and, it may do so only with for any disclosure or transfer of Personal Data to any third party, obtain the prior written permission consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 35.6.2 and Clauses 35.1 (Security Requirements), 35.2 (Protection of Customer Data) and 35.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other Partyrequest, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 35.(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 35.6.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Party requiring such permission Supplier shall require of all such third parties, appropriate written undertakings not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be providedadequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, containing similar terms after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to that Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 35.(b) to 35.(c); the Supplier shall set forth out in this clause 25, its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and dealing with that any Sub-Contractors or other third party's obligations parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of its processing of the personal data. Following approval by Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the other PartyCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirementapprovals processes in connection with, the Parties Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall keep all personal data comply with such other instructions and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to identify all reasonably foreseeable internal those agreed between the Customer and external risks the Sub-Contractor relating to the personal data relevant Personal Data transfer, and in its possession or each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under its controlthe DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Parties Supplier shall implement and maintain appropriate safeguards against use its reasonable endeavours to assist the risks which it identifies Customer to comply with any obligations under the DPA and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to not perform its obligations under this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Call Off Contract in such a manner way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that it cannot the same would be reconstructed to its original form, linking it to any particular individual or organisationa breach of such obligations.
Appears in 1 contract
Samples: Order Form
Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access Arrangement between the Parties
36.1 With respect to personal data for the duration of the Agreement for the fulfilment of the Parties' rights and obligations contained herein. In performing the obligations as set out in under this Agreement, the Parties shall at all times ensure that:acknowledge that the DCC is a Data Controller and that the Contractor is a Data Processor. In respect of the Contractor's Processing under this Agreement:-
a) they process data only for 36.1.1 the express subject-matter, nature and purpose for which it was obtained;
b) once processed of the Processing will be DCC employee and supply chain contact details used for the purposes for which it was obtained, all data of liaising with such parties to perform the Services and/or required to assist in delivering the Objectives;
36.1.2 the type of Personal Data being processed will be destroyed to an extent that it cannot be reconstructed to its original formPersonal Data of names, contact addresses, email addresses and telephone numbers;
c) data is provided 36.1.3 the duration of the Processing shall be the term of this Agreement; and
36.1.4 the Parties will use the Variation Procedure to agree any changes or additions to the subject matter, nature, purpose or type of Personal Data to be Processed under this Agreement.
36.2 The Contractor shall:-
36.2.1 Process the Personal Data only in accordance with documented instructions from the DCC to authorised personnel who strictly require the personal data to carry out the Parties’ respective perform its obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have 36.2.2 ensure that at all reasonable technical and organisational measures times it has in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected guard against unauthorised or unlawful processing, processing of the Personal Data and/or accidental loss, destruction or damagedamage to the Personal Data, alterationincluding the measures as are set out in Clause 35 (DCC Data), disclosure or access.Clause 41 (Security Requirements) and the Security Management Plan;
25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to 36.2.3 not disclose or otherwise make available transfer the personal data Personal Data to any third party or Contractor Personnel, or allow a third party or Contractor Personnel access to the Personal Data, unless necessary for the provision of the Services and:-
(including sub-contractors and employees)a) for any disclosure or transfer of Personal Data to any third party, it may do so only with the prior written permission consent of the other Party. The Party requiring DCC;
(b) where the Contractor wishes to appoint a sub-Processor, in compliance with Clause 27 (Supply Chain Rights) and any applicable conditions under such permission shall require Clause 27 (Supply Chain Rights) or Clause 36.3;
36.2.4 take all reasonable steps to ensure the reliability and integrity of all such third partiesany Contractor Personnel who have access to the Personal Data and ensure that the Contractor Personnel:-
(i) are aware of and comply with the Contractor’s duties under this Clause 36.2 and Clauses 37 (Confidentiality), 35 (DCC Data) and 41 (Security Requirements);
(ii) are subject to appropriate written confidentiality undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing the Contractor or the relevant Sub-contractor;
(iii) are informed of the personal data. Following approval confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the other PartyDCC or as otherwise permitted by this Agreement; and
(iv) have undergone adequate training in the use, care, protection and handling of personal data (as defined in the Party requiring permission agrees that Data Protection Laws);
36.2.5 notify the provisions of this clause 25 shall mutatis mutandis apply to all authorised DCC without undue delay if it:-
(a) receives from a Data Subject (or third parties who process personal data.
25.4 The Parties shall ensure that any persons authorized to process data party on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.behalf):-
Appears in 1 contract
Samples: Agreement for the Provision of Software Development and Related Services
Protection of Personal Data. 25.1 The Parties agree Tenant shall:
(a) take all reasonable measures to ensure that they may obtain any personal data held in connection with this Agreement is protected against loss and unauthorised access, use, modification, disclosure or other misuse and that only authorised personnel involved in the performance of the Tenant’s obligations hereunder have access to such data; and not disclose any personal data in connection with this Agreement without the prior written consent of the Landlord. Any request for the duration Landlord’s consent under this Clause 4.24(a) must include an explanation of why the proposed disclosure is necessary for the purposes of fulfilling the Tenant’s obligations hereunder;
(b) not transfer personal data held in connection with this Agreement outside Singapore, or allow parties outside Singapore to have access to it, unless with the prior written approval of the Landlord and subject to such conditions as the Landlord may impose. Any request for the Landlord’s approval under this Clause 4.24(b) shall include an explanation of why the proposed transfer is necessary for the purposes of fulfilling the Tenant’s obligations hereunder. If approval is granted, the Tenant shall provide a written undertaking that the personal data which is transferred outside Singapore will be protected to a comparable standard as it is protected under the Personal Data Protection Act 2012 (No. 26 of 2012);
(c) in respect of any personal data held in connection with this Agreement, immediately notify the Landlord when the Tenant becomes aware of the breach of any of the obligations under Clause 4.24;
(d) in respect of any personal data held in connection with this Agreement, co-operate with any reasonable requests, directions or guidelines required by the Landlord arising from or in connection with the handling of personal data; and
(e) ensure that all personal data obtained or held in connection with this Agreement and any copies thereof, regardless of the medium of storage, and which is no longer necessary for the purposes of its performance of the Agreement is securely destroyed within thirty (30) days from the termination or expiry of this Agreement. Any personal data that is retained by the Tenant after such personal data is no longer necessary for the fulfilment purposes of its performance of this Agreement, or without the written authorisation of the rights and obligations contained hereinLandlord, is a breach of this Agreement. In performing No later than thirty (30) days from the obligations as set out in termination or expiry of this Agreement, the Parties Tenant shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent provide a written confirmation that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data no longer in possession of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data.
25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 The Parties agree that they will promptly return or destroy any personal data obtained or held in their possession connection with this Agreement or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreementcopies thereof, subject to any legal retention requirements. This may be at the request regardless of the other Party and includes circumstances where a person has requested the Parties to delete all instances medium of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisationstorage.
Appears in 1 contract
Samples: Requirement Specifications
Protection of Personal Data. 25.1 18.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that:
a) they process data only for the express purpose for which it was obtained;
b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form;
c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;
d) they do not disclose personal data of the other Party, other than in terms of this Agreement;
e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use;
f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;
g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access.
25.2 18.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing.
25.3 18.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data.so
25.4 18.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it.
25.5 18.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented.
25.6 18.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.
Appears in 1 contract
Samples: Master Agreement
