Common use of Protection of Personal Data Clause in Contracts

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that the Authority is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Authority to perform its obligations under this Framework Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 24.5.2 and Clause 24.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Authority within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Authority's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Authority with full cooperation and assistance (within the timescales reasonably required by the Authority) in relation to any complaint, communication or request made (as referred to at Clause 24.5.2(e), including by promptly providing: the Authority with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Authority to enable the Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Authority, on request by the Authority, with any Personal Data it holds in relation to a Data Subject; and if requested by the Authority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 24.5.2 and provide to the Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”) without the Approval of the Framework Authority. If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Authority which, if it is agreed by the Authority, shall be dealt with in accordance with Clause 16.1 (Variation Procedure) and Clauses 24.5.3(b) to 24.5.3(d); the Supplier shall set out in its proposal to the Authority for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Authority’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Authority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Authority may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Authority on such terms as may be required by the Authority; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Authority and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Authority to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of the Authority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that the Authority is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Authority to perform its obligations under this Framework Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 24.5.2 63.4.2 and Clause 24.2 63.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Authority within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Authority's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Authority with full cooperation and assistance (within the timescales reasonably required by the Authority) in relation to any complaint, communication or request made (as referred to at Clause 24.5.2(e63.4.2(e), including by promptly providing: the Authority with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Authority to enable the Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Authority, on request by the Authority, with any Personal Data it holds in relation to a Data Subject; and if requested by the Authority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 24.5.2 63.4.2 and provide to the Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “a Restricted Countries”) without the Approval of the Framework AuthorityCountry. If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Authority which, if it is agreed by the Authority, shall be dealt with in accordance with Clause 16.1 50.1 (Variation Procedure) and Clauses 24.5.3(b63.4.3(b) to 24.5.3(d63.4.3(d); the Supplier shall set out in its proposal to the Authority for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Authority’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Authority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Authority may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Authority on such terms as may be required by the Authority; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Authority and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Authority to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of the Authority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework AgreementCall Off Contract, the Parties acknowledge that the Authority Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Authority Customer to perform its obligations under this Framework AgreementCall Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 37.1 (Security Requirements) and 37.2 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods Products and/or Services andServicesand, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Authority Customer (save where such disclosure or transfer is specifically authorised under this Framework Agreement); Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 24.5.2 37.5.2 and Clause 24.2 Clauses 37.1 (Security Requirements), 37.2 (Protection of Customer Data) and 37.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority Customer or as otherwise permitted by this Framework AgreementCall Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Authority Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the AuthorityCustomer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Authority Customer with full cooperation and assistance (within the timescales reasonably required by the AuthorityCustomer) in relation to any complaint, communication or request made (as referred to at Clause 24.5.2(e37.5.2(e)), including by promptly providing: the Authority Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Authority Customer to enable the Authority Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the AuthorityCustomer, on request by the AuthorityCustomer, with any Personal Data it holds in relation to a Data Subject; and if requested by the AuthorityCustomer, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 24.5.2 37.5.2 and provide to the Authority Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “a Restricted Countries”) without the Approval of the Framework AuthorityCountry. If, after the Framework Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation Variation to the Authority Customer which, if it is agreed by the AuthorityCustomer, shall be dealt with in accordance with Clause 16.1 (the Variation Procedure) Procedure and Clauses 24.5.3(b37.5.3(b) to 24.5.3(d37.5.3(c); the Supplier shall set out in its proposal to the Authority Customer for a Variation, Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the AuthorityCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Authoritythen-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Authority Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Authority Customer on such terms as may be required by the AuthorityCustomer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Authority Customer and the Supplier Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Authority Customer to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement Call Off Contract in such a way as to cause the Authority Customer to breach any of the AuthorityCustomer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that the Authority is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Authority to perform its obligations under this Framework Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 24.5.2 27.4.2 and Clause 24.2 27.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Authority within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Authority's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Authority with full cooperation and assistance (within the timescales reasonably required by the Authority) in relation to any complaint, communication or request made (as referred to at Clause 24.5.2(e27.4.2(e), including by promptly providing: the Authority with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Authority to enable the Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Authority, on request by the Authority, with any Personal Data it holds in relation to a Data Subject; and if requested by the Authority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 24.5.2 27.4.2 and provide to the Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “a Restricted Countries”) without the Approval of the Framework AuthorityCountry. If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Authority which, if it is agreed by the Authority, shall be dealt with in accordance with Clause 16.1 19.1 (Variation Procedure) and Clauses 24.5.3(b27.4.3(b) to 24.5.3(d27.4.3(d); the Supplier shall set out in its proposal to the Authority for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Authority’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Authority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Authority may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Authority on such terms as may be required by the Authority; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Authority and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Authority to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of the Authority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. PUBLICITY AND BRANDING Subject to Clause 29 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Authority's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Authority to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Authority shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Authority, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Acx 0000 xr otherwise.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework AgreementCall Off Contract, the Parties acknowledge that the Authority Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Authority Customer to perform its obligations under this Framework AgreementCall Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 (Security Requirements) and 34.3 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or and Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Authority Customer (save where such disclosure or transfer is specifically authorised under this Framework Agreement); Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 24.5.2 34.7.2 and Clause 24.2 Clauses 34.1 (Security Requirements), 34.3 (Protection of Customer Data) and 34.4 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority Customer or as otherwise permitted by this Framework AgreementCall Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Authority Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the AuthorityCustomer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Authority Customer with full cooperation and assistance (within the timescales reasonably required by the AuthorityCustomer) in relation to any complaint, communication or request made (as referred to at Clause 24.5.2(e34.7.2(e)), including by promptly providing: the Authority Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Authority Customer to enable the Authority Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the AuthorityCustomer, on request by the AuthorityCustomer, with any Personal Data it holds in relation to a Data Subject; and if requested by the AuthorityCustomer, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 24.5.2 34.7.2 and provide to the Authority Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”) without the Approval of the Framework AuthorityApproval. If, after the Framework Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation Variation to the Authority Customer which, if it is agreed by the AuthorityCustomer, shall be dealt with in accordance with Clause 16.1 (the Variation Procedure) Procedure and Clauses 24.5.3(b34.7.3(b) to 24.5.3(d34.7.3(d); the Supplier shall set out in its proposal to the Authority Customer for a Variation, Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries, including the purpose for the transfer; (if applicable) the countries through which the Personal Data will be transited and the nature of the transit; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the AuthorityCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Authoritythen-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Authority Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Authority Customer on such terms as may be required by the AuthorityCustomer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Authority Customer and the Supplier Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Authority Customer to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement Call Off Contract in such a way as to cause the Authority Customer to breach any of the AuthorityCustomer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that the Authority Fund is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Authority Fund to perform its obligations under this Framework Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Authority Fund (save where such disclosure or transfer is specifically authorised under this Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 24.5.2 22.5.2 and Clause 24.2 22.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority Fund or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Authority Fund within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the AuthorityFund's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Authority Fund with full cooperation and assistance (within the timescales reasonably required by the AuthorityFund) in relation to any complaint, communication or request made (as referred to at Clause 24.5.2(e22.5.2(e), including by promptly providing: the Authority Fund with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Authority Fund to enable the Authority Fund to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the AuthorityFund, on request by the AuthorityFund, with any Personal Data it holds in relation to a Data Subject; and if requested by the AuthorityFund, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 24.5.2 22.5.2 and provide to the Authority Fund copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”) without the Approval of the Framework Authority). If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Authority Fund which, if it is agreed by the AuthorityFund, shall be dealt with in accordance with Clause 16.1 17.1 (Variation Procedure) and Clauses 24.5.3(b22.5.3(b) to 24.5.3(d22.5.3(d); the Supplier shall set out in its proposal to the Authority Fund for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the AuthorityFund’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the AuthorityFund, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Authority Fund may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Authority Fund on such terms as may be required by the AuthorityFund; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Authority Fund and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority Fund deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Authority Fund to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority Fund to breach any of the AuthorityFund’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. PUBLICITY AND BRANDING Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework AgreementCall Off Contract, the Parties acknowledge that the Authority Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Authority Customer to perform its obligations under this Framework AgreementCall Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 (Security Requirements) and 34.2 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Authority Customer (save where such disclosure or transfer is specifically authorised under this Framework Agreement); Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 24.5.2 34.6.2 and Clause 24.2 Clauses 34.1 (Security Requirements), 34.2 (Protection of Customer Data) and 34.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority Customer or as otherwise permitted by this Framework AgreementCall Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Authority Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the AuthorityCustomer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Authority Customer with full cooperation and assistance (within the timescales reasonably required by the AuthorityCustomer) in relation to any complaint, communication or request made (as referred to at Clause 24.5.2(e34.6.2(e)), including by promptly providing: the Authority Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Authority Customer to enable the Authority Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the AuthorityCustomer, on request by the AuthorityCustomer, with any Personal Data it holds in relation to a Data Subject; and if requested by the AuthorityCustomer, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 24.5.2 34.6.2 and provide to the Authority Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”) without the Approval of the Framework Authority). If, after the Framework Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation Variation to the Authority Customer which, if it is agreed by the AuthorityCustomer, shall be dealt with in accordance with Clause 16.1 (the Variation Procedure) Procedure and Clauses 24.5.3(b34.6.3(b) to 24.5.3(d34.6.3(c); the Supplier shall set out in its proposal to the Authority Customer for a Variation, Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the AuthorityCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Authoritythen-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Authority Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Authority Customer on such terms as may be required by the AuthorityCustomer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Authority Customer and the Supplier Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Authority Customer to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement Call Off Contract in such a way as to cause the Authority Customer to breach any of the AuthorityCustomer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework AgreementCall Off Contract, the Parties acknowledge that the Authority Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Authority Customer to perform its obligations under this Framework AgreementCall Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 46 (Security Requirements) and 46.1.5 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and the delivery of purchased Goods and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Authority Customer (save where such disclosure or transfer is specifically authorised under this Framework AgreementCall Off Contract); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 24.5.2 46.1.32 and Clause 24.2 Clauses 46 (Security Requirements), 46.1.5 (Protection of Customer Data) and 46.1.13(c) (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority Customer or as otherwise permitted by this Framework AgreementCall Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Authority Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the AuthorityCustomer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Authority Customer with full cooperation and assistance (within the timescales reasonably required by the AuthorityCustomer) in relation to any complaint, communication or request made (as referred to at Clause 24.5.2(e46.1.32(h)), including by promptly providing: the Authority Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Authority Customer to enable the Authority Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the AuthorityCustomer, on request by the AuthorityCustomer, with any Personal Data it holds in relation to a Data Subject; and if requested by the AuthorityCustomer, provide a written description of the measures that the Supplier has have been taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 24.5.2 46.1.32 and provide to the Authority Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”) without the Approval of the Framework Authority). If, after the Framework Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation Variation to the Authority Customer which, if it is agreed by the AuthorityCustomer, shall be dealt with in accordance with Clause 16.1 (the Variation Procedure) Procedure and Clauses 24.5.3(b46.1.33(b) to 24.5.3(d46.1.33(g); the Supplier shall set out in its proposal to the Authority Customer for a Variation, Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the AuthorityCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Authoritythen-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Authority Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Authority Customer on such terms as may be required by the AuthorityCustomer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Authority Customer and the Supplier Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Authority Customer to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement Call Off Contract in such a way as to cause the Authority Customer to breach any of the AuthorityCustomer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework AgreementCall Off Contract, the Parties acknowledge that the Authority Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Authority Customer to perform its obligations under this Framework AgreementCall Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 (Security Requirements) and 34.2 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Authority Customer (save where such disclosure or transfer is specifically authorised under this Framework Agreement); Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s Suppliers duties under this Clause 24.5.2 34.5.2 and Clause 24.2 Clauses 34.1 (Security Requirements), 34.2 (Protection of Customer Data) and 34.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority Customer or as otherwise permitted by this Framework AgreementCall Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Authority Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the AuthorityCustomer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Authority Customer with full cooperation and assistance (within the timescales reasonably required by the AuthorityCustomer) in relation to any complaint, communication or request made (as referred to at Clause 24.5.2(e34.5.2(e)), including by promptly providing: the Authority Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Authority Customer to enable the Authority Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the AuthorityCustomer, on request by the AuthorityCustomer, with any Personal Data it holds in relation to a Data Subject; and if requested by the AuthorityCustomer, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 24.5.2 34.5.2 and provide to the Authority Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”) without the Approval of the Framework Authority). If, after the Framework Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation Variation to the Authority Customer which, if it is agreed by the AuthorityCustomer, shall be dealt with in accordance with Clause 16.1 (the Variation Procedure) Procedure and Clauses 24.5.3(b34.5.3(b) to 24.5.3(d34.5.3(c); the Supplier shall set out in its proposal to the Authority Customer for a Variation, Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the AuthorityCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Authoritythen-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Authority Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Authority Customer on such terms as may be required by the AuthorityCustomer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Authority Customer and the Supplier Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Authority Customer to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement Call Off Contract in such a way as to cause the Authority Customer to breach any of the AuthorityCustomer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework AgreementCall Off Contract, the Parties acknowledge that the Authority Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Authority Customer to perform its obligations under this Framework AgreementCall Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 35.1 (Security Requirements) and 35.2 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Authority Customer (save where such disclosure or transfer is specifically authorised under this Framework Agreement); Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 24.5.2 35.6.2 and Clause 24.2 Clauses 35.1 (Security Requirements), 35.2 (Protection of Customer Data) and 35.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority Customer or as otherwise permitted by this Framework AgreementCall Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Authority Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the AuthorityCustomer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Authority Customer with full cooperation and assistance (within the timescales reasonably required by the AuthorityCustomer) in relation to any complaint, communication or request made (as referred to at Clause 24.5.2(e35.(e)), including by promptly providing: the Authority Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Authority Customer to enable the Authority Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the AuthorityCustomer, on request by the AuthorityCustomer, with any Personal Data it holds in relation to a Data Subject; and if requested by the AuthorityCustomer, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 24.5.2 35.6.2 and provide to the Authority Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”) without the Approval of the Framework Authority). If, after the Framework Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation Variation to the Authority Customer which, if it is agreed by the AuthorityCustomer, shall be dealt with in accordance with Clause 16.1 (the Variation Procedure) Procedure and Clauses 24.5.3(b35.(b) to 24.5.3(d35.(c); the Supplier shall set out in its proposal to the Authority Customer for a Variation, Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the AuthorityCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Authoritythen-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Authority Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Authority Customer on such terms as may be required by the AuthorityCustomer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Authority Customer and the Supplier Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Authority Customer to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement Call Off Contract in such a way as to cause the Authority Customer to breach any of the AuthorityCustomer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Lease Agreement, the Parties acknowledge that the Authority Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Authority Customer to perform its obligations under this Framework Lease Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 43 (Security Requirements) and 43.2.3(c) (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Authority Customer (save where such disclosure or transfer is specifically authorised under this Framework Lease Agreement); ) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 24.5.2 43.2.30 and Clause 24.2 Clauses 43 (Security Requirements), 43.2.3(c)(Protection of Customer Data) and 43.2.11(c) (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority Customer or as otherwise permitted by this Framework Lease Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Authority Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the AuthorityCustomer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Authority Customer with full cooperation and assistance (within the timescales reasonably required by the AuthorityCustomer) in relation to any complaint, communication or request made (as referred to at Clause 24.5.2(e43.2.30(e)), including by promptly providing: the Authority Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Authority Customer to enable the Authority Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the AuthorityCustomer, on request by the AuthorityCustomer, with any Personal Data it holds in relation to a Data Subject; and if requested by the AuthorityCustomer, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 24.5.2 43.2.30 and provide to the Authority Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”) without the Approval of the Framework Authority). If, after the Framework Lease Agreement Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation Variation to the Authority Customer which, if it is agreed by the AuthorityCustomer, shall be dealt with in accordance with Clause 16.1 (the Variation Procedure) Procedure and Clauses 24.5.3(b43.2.31(b) to 24.5.3(d43.2.31(c); the Supplier shall set out in its proposal to the Authority Customer for a Variation, Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the AuthorityCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Authoritythen-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Authority Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Lease Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Authority Customer on such terms as may be required by the AuthorityCustomer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Authority Customer and the Supplier Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Authority Customer to comply with any obligations under the DPA and shall not perform its obligations under this Framework Lease Agreement in such a way as to cause the Authority Customer to breach any of the AuthorityCustomer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework AgreementCall Off Contract, the Parties acknowledge that the Authority Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Authority Customer to perform its obligations under this Framework AgreementCall Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 43 (Security Requirements) and 43.2.3(c) (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Authority Customer (save where such disclosure or transfer is specifically authorised under this Framework Agreement); Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 24.5.2 43.2.30 and Clause 24.2 Clauses 43 (Security Requirements), 43.2.3(c)(Protection of Customer Data) and 43.2.11(c) (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority Customer or as otherwise permitted by this Framework AgreementCall Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Authority Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the AuthorityCustomer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Authority Customer with full cooperation and assistance (within the timescales reasonably required by the AuthorityCustomer) in relation to any complaint, communication or request made (as referred to at Clause 24.5.2(e43.2.30(e)), including by promptly providing: the Authority Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Authority Customer to enable the Authority Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the AuthorityCustomer, on request by the AuthorityCustomer, with any Personal Data it holds in relation to a Data Subject; and if requested by the AuthorityCustomer, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 24.5.2 43.2.30 and provide to the Authority Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”) without the Approval of the Framework Authority). If, after the Framework Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation Variation to the Authority Customer which, if it is agreed by the AuthorityCustomer, shall be dealt with in accordance with Clause 16.1 (the Variation Procedure) Procedure and Clauses 24.5.3(b43.2.31(b) to 24.5.3(d43.2.31(c); the Supplier shall set out in its proposal to the Authority Customer for a Variation, Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the AuthorityCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Authoritythen-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Authority Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Authority Customer on such terms as may be required by the AuthorityCustomer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Authority Customer and the Supplier Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Authority Customer to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement Call Off Contract in such a way as to cause the Authority Customer to breach any of the AuthorityCustomer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework AgreementCall Off Contract, the Parties acknowledge that the Authority Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Authority Customer to perform its obligations under this Framework AgreementCall Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 45 (Security Requirements) and 45.1.5 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Authority Customer (save where such disclosure or transfer is specifically authorised under this Framework Agreement); Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 24.5.2 45.1.32 and Clause 24.2 Clauses 45 (Security Requirements), 45.1.5 (Protection of Customer Data) and 45.1.13(c) (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority Customer or as otherwise permitted by this Framework AgreementCall Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Authority Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the AuthorityCustomer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Authority Customer with full cooperation and assistance (within the timescales reasonably required by the AuthorityCustomer) in relation to any complaint, communication or request made (as referred to at Clause 24.5.2(e45.1.32(h)), including by promptly providing: the Authority Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Authority Customer to enable the Authority Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the AuthorityCustomer, on request by the AuthorityCustomer, with any Personal Data it holds in relation to a Data Subject; and if requested by the AuthorityCustomer, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 24.5.2 45.1.32 and provide to the Authority Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”) without the Approval of the Framework Authority). If, after the Framework Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation Variation to the Authority Customer which, if it is agreed by the AuthorityCustomer, shall be dealt with in accordance with Clause 16.1 (the Variation Procedure) Procedure and Clauses 24.5.3(b45.1.33(b) to 24.5.3(d45.1.33(g); the Supplier shall set out in its proposal to the Authority Customer for a Variation, Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the AuthorityCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Authoritythen-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Authority Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Authority Customer on such terms as may be required by the AuthorityCustomer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Authority Customer and the Supplier Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Authority Customer to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement Call Off Contract in such a way as to cause the Authority Customer to breach any of the AuthorityCustomer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of With respect to the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge agree that the Authority Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Authority Customer (which may be specific instructions or instructions of a general nature as set out in this Agreement or as otherwise notified by the Customer to perform its obligations under this Framework Agreementthe Supplier during the Term); ensure that at all times it has Process the Personal Data only to the extent, and in place such manner, as is necessary for the provision of the Supply or as is required by Applicable Law or any Regulatory Body; implement appropriate technical and organisational measures to guard protect the Personal Data against unauthorised or unlawful Processing of the Personal Data and/or and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data; not disclose or transfer Data and having regard to the nature of the Personal Data which is to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement)be protected; take reasonable steps to ensure the reliability and integrity of any of the Supplier Personnel Staff who have access to the Personal Data; not transfer the Personal Data and to any sub-contractors or Affiliates without first obtaining prior written consent from the Customer; ensure that all Supplier Staff required to access the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 24.5.2 and Clause 24.2 (Confidentiality); Personal Data are informed of the confidential nature of the Personal Data and do not comply with the obligations set out in this Clause 19; ensure that none of the Supplier Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA)Customer; notify the Authority Customer (within five (5) Working Days Days) if it receives: a request from a Data Subject to have access to that person’s Personal Data (or third party on their behalf) a “Data Subject Access Request (or purported Data Subject Access Request”), ; or a request to rectify, block or erase any Personal Data or any other request, complaint or communication request relating to the Authority's Customer’s obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by LawProtection Requirements; provide the Authority Customer with full cooperation and assistance (within the timescales reasonably required by the Authority) in relation to any complaint, communication complaint or request made (as referred to at Clause 24.5.2(e)made, including by promptly providingby: providing the Authority Customer with full details and copies of the complaint, communication complaint or request; where applicable, such assistance as is reasonably requested by the Authority to enable the Authority to comply complying with the a Data Subject Access Request within the relevant timescales set out in the DPAData Protection Requirements and in accordance with the Customer’s instructions; and providing the Authority, on request by the Authority, Customer with any Personal Data it holds in relation to a Data SubjectSubject (within the timescales required by the Customer); and if providing the Customer with any information requested by the AuthorityCustomer; permit the Customer (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier’s data Processing activities (and/or those of its agents, subsidiaries and sub-contractors) and comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Agreement; provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, methods employed by the Supplier for processing Personal Data (within the purpose of compliance with its obligations pursuant to this Clause 24.5.2 timescales required by the Customer); and provide to the Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”) without the Approval prior written consent of the Framework Authority. IfCustomer and, after where the Framework Commencement Date, Customer consents to a transfer of the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Authority which, if it is agreed by the Authority, shall be dealt with in accordance with Clause 16.1 (Variation Procedure) and Clauses 24.5.3(b) to 24.5.3(d); 19.2.5, comply with: the Supplier shall obligations of a Data Controller under the Eighth Data Protection Principle set out in its proposal to the Authority for a Variation, details Schedule 1 of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure Protection Act 1998 by providing an adequate level of protection and adequate safeguards in respect of the to any Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Authority’s compliance with the DPAis transferred; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Authority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data reasonable instructions notified to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Authority may notify in writing, including: incorporating standard and/or model clauses (which are approved it by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Authority on such terms as may be required by the Authority; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Authority and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority deems necessary for the purpose of protecting Personal DataCustomer. The Supplier shall use its reasonable endeavours to assist comply at all times with the Authority to comply with any obligations under the DPA Data Protection Requirements and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority Customer to breach any of the Authority’s its applicable obligations under the DPA Data Protection Requirements. CONFIDENTIALITY Except to the extent set out in this Clause 20 or where disclosure is expressly permitted elsewhere in this Agreement, each Party shall: treat the Supplier other Party’s Confidential Information as confidential and safeguard it accordingly; and not disclose the other Party’s Confidential Information to any other person without the owner’s prior written consent. Clause 20.1 shall not apply to the extent that: such disclosure is awarea requirement of an Applicable Law placed upon the Party making the disclosure, including any requirements for disclosure under the FOIA or ought reasonably the Environmental Information Regulations pursuant to have been aware, that Clause 21; such information was in the same would be possession of the Party making the disclosure without obligation of confidentiality prior to its disclosure by the information owner; such information was obtained from a third party without obligation of confidentiality; such information was already in the public domain at the time of disclosure otherwise than by a breach of this Agreement; or such information is independently developed without access to the other Party’s Confidential Information. The Supplier may only disclose the Customer’s Confidential Information to the Supplier Staff who are directly involved in the provision of the Supply and who need to know the information, and shall ensure that such Supplier Staff are aware of and shall comply with the obligations set out in this Clause 20 in respect of such information. The Supplier shall not, and shall procure that the Supplier Staff do not, use any of the Customer’s Confidential Information received otherwise than for the purposes of this Agreement. Nothing in this Agreement shall prevent the Customer from disclosing the Supplier’s Confidential Information: to any Crown Body or any other Contracting Authority on the basis that the information is confidential and is not to be disclosed to a third party which is not part of any Crown Body or any Contracting Authority. All Crown Bodies or Contracting Authorities receiving such Confidential Information shall be entitled to further disclose the Confidential Information to other Crown Bodies or other Contracting Authorities on the basis that the information is confidential and is not to be disclosed to a third party which is not part of any Crown Body or any Contracting Authority; to any consultant, contractor or other person engaged by the Customer, or to any person conducting a government gateway or other review on the basis that the information is confidential and is not to be disclosed to a third party which is not part of any Crown Body or any Contracting Authority; for the purpose of the examination and certification of the Customer’s accounts; or for any examination pursuant to Section 6(1) of the National Audit Act 1983 of the economy, efficiency and effectiveness with which the Customer has used its resources. The Customer shall ensure that any government department, Contracting Authority, employee, third party or sub-contractor to whom the Supplier’s Confidential Information is disclosed pursuant to Clause 20.5 is notified in writing of the Customer’s obligations of confidentiality set out in this Agreement. Nothing in this Clause 20 shall prevent either Party from using any techniques, ideas or know-how gained during the performance of the Agreement in the course of its normal business to the extent that this use does not result in a disclosure of the other Party’s Confidential Information or an infringement of IPR. FREEDOM OF INFORMATION The Supplier acknowledges that the Customer is subject to the requirements of the FOIA and the Environmental Information Regulations and shall assist and cooperate with the Customer, to enable the Customer to comply with its Information disclosure obligations. The Supplier shall (and shall procure that its sub-contractors shall) provide all necessary assistance as reasonably requested by the Customer to enable the Customer to respond to a Request for Information within the time for compliance set out in Section 10 of the FOIA or regulation 5 of the Environmental Information Regulations, to include providing the Customer with a copy of all Information in its possession, or power in the form that the Customer requires within five (5) Working Days (or such other period as the Customer may specify) of the Customer’s request. The Customer shall be responsible for determining in its absolute discretion and notwithstanding any other provision in this Agreement or any other agreement whether Information deemed commercially sensitive and/or any other Information is exempt from disclosure in accordance with the provisions of the FOIA or the Environmental Information Regulations. In no event shall the Supplier respond directly to a Request for Information unless expressly authorised to do so by the Customer. The Supplier acknowledges that the Customer may, acting in accordance with the Department of Constitutional Affairs’ Code of Practice on the Discharge of the Functions of Public Authorities under Part 1 of the Freedom of Information Act 2000 (“the Code”), be obliged under the FOIA, or the Environmental Information Regulations to disclose information concerning the Supplier or the services provided by the Supplier under this Agreement unless an exemption applies. The Customer may at its discretion consult the Supplier with regard to whether the FOIA applies to the Information or whether an exemption applies. The Supplier shall ensure that all Information produced in the course of this Agreement or relating to this Agreement is retained for disclosure in a manner agreed by the Parties and shall permit the Customer to inspect such records as requested from time to time. The Supplier acknowledges that any Information it deems commercially sensitive is of indicative value only and that the Customer may be obliged to disclose it in accordance with Clause 21.5.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of With respect to the Parties’ ' rights and obligations under this Framework AgreementCall Off Contract, the Parties acknowledge that the Authority Customer is the a Data Controller and that the Supplier is the a Data Processor. The Supplier shall: prior to the processing of any Personal Data under this Call Off Contract and where requested by the Customer provide a Privacy Impact Assessment (“PIA”) to the Authority which will include (but not be limited to): a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality on the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data; Process the Personal Data only in accordance with instructions from the Authority Customer to perform its obligations under this Framework AgreementCall Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 (Security Requirements) and 34.2 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for allow the provision of the Goods and/or Services and, for any disclosure or transfer processing of Personal Data to by any Sub-Contractor, Affiliate and third party, obtain party without the prior written consent of the Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement)Customer; take all reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 24.5.2 34.5.2 and Clause 24.2 and 34.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority Customer or as otherwise permitted by this Framework AgreementCall Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPAData Protection Laws); notify the Authority Customer within five fourty eight (548) Working Days hours if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the AuthorityCustomer's obligations under the DPAData Protection Laws ; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or considers that any instructions from the Customer infringe the Data Protection Laws; receives any Regulator Correspondence or any other any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Call Off Contract; or is required by Xxx to commit an act or omission that would constitute a breach of this Clause 34.5; provide the Authority Customer with full cooperation and assistance (within the timescales reasonably required by the AuthorityCustomer) in relation to either Party’s obligations uder the Data Protection Laws or any complaint, communication or request made (as referred to at Clause 24.5.2(e(f)), including by promptly providing: the Authority Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Authority Customer to enable the Authority Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPAData Protection Laws; and the AuthorityCustomer, on request by the AuthorityCustomer, with any Personal Data it holds in relation to a Data Subject; and assistance following a Data Loss Event as required by the Customer including with respect to the conduct of a data protection impact assessment and the Customer's consultation with the Information Commissioner's Office; if requested by the AuthorityCustomer, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 24.5.2 34.5.2 and provide to the Authority Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. keep a record of all categories of processing activities carried out on behalf of the Customer, containing; the categories of processing carried out on behalf of the Customer; where applicable, any transfers of Personal Data to Restricted Countries or an international organisation The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “a Restricted Countries”) without the Approval of the Framework AuthorityCountry. If, after the Framework Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose submit a variation Variation Form to the Authority Customer which, if it is agreed by the AuthorityCustomer agrees to such Variation, shall be dealt with in accordance with Clause 16.1 (the Variation Procedure) and Clauses 24.5.3(b) to 24.5.3(d); the Supplier shall set out in its proposal to the Authority Customer for a Variation, Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the AuthorityCustomer’s compliance with the DPAData Protection Laws; in providing and evaluating the Variation, and the Impact Assessment, the Parties shall ensure that they have regard to and comply with the Authoritythen-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Authority Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPAData Protection Laws) into this Framework Agreement Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Authority Customer on such terms as may be required by the AuthorityCustomer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Authority Customer and the Supplier Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPAData Protection Laws ) and technical and organisation measures which the Authority Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Authority Customer to comply with any obligations under the DPA Data Protection Laws and shall not perform its obligations under this Framework Agreement Call Off Contract in such a way as to cause the Authority Customer to breach any of the AuthorityCustomer’s obligations under the DPA Data Protection Laws to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. The Supplier shall (and shall procure that all Supplier Personnel) comply with any notification requirements under Data Protection Laws and both Parties will duly observe all their obligations under Data Protection Laws which arise in connection with the Call Off Contract. The Supplier will, in conjunction with the Customer, in its own right and in respect of the Services, make all necessary preparations to ensure it will be compliant with the provisions of the GDPR upon its implementation The Supplier will provide the Customer with the contact details of its data protection officer or other designated individual with responsibility for data protection and privacy to act as the point of contact for the purpose of observing its obligations under Clause 34.5. The Supplier will notify the Customer immediately, and in any event no later than 12 hours, after becoming aware of a Data Loss Event, in particular the Supplier will; when notifying the Customer of a Data Loss Event, describe the nature of the event including the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; cooperate fully with any Customer investigation into the Data Loss Event including but not limited to the causes and effects (actual or potential); provide immediate access to the Supplier’s premises and systems for the purposes of any Customer investigation under this Call Off Contract; take all necessary actions to remedy the causes of the Data Loss Event and to ensure the protection of Personal Data from any further loss; not make any public statement of any kind without the prior approval of the Customer; where appropriate, provide all assistance necessary to enable the Customer to fulfil its obligations to notify the Information Commissioner within 72 hours after becoming aware of the Data Loss Event. The Supplier shall indemnify the Customer on a continuing basis against any and all Losses incurred by the Customer arising from the Supplier’s Default under this Clause 34.5 and/or any failure by the Supplier or any Sub-Contractor to comply with their respective obligations under Data Protection Laws. Nothing in this Clause 34.5 shall be construed as requiring the Supplier or any relevant Sub-Contractor to be in breach of any Data Protection Laws.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework AgreementCall Off Contract, the Parties acknowledge that the Authority Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Authority Customer to perform its obligations under this Framework AgreementCall Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 (Security Requirements) and 34.2 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Authority Customer (save where such disclosure or transfer is specifically authorised under this Framework Agreement); Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 24.5.2 34.6.2 and Clause 24.2 Clauses 34.1 (Security Requirements), 34.2 (Protection of Customer Data) and 34.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority Customer or as otherwise permitted by this Framework AgreementCall Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Authority Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the AuthorityCustomer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Authority Customer with full cooperation and assistance (within the timescales reasonably required by the AuthorityCustomer) in relation to any complaint, communication or request made (as referred to at Clause 24.5.2(e34.6.2(e)), including by promptly providing: the Authority Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Authority Customer to enable the Authority Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the AuthorityCustomer, on request by the AuthorityCustomer, with any Personal Data it holds in relation to a Data Subject; and if requested by the AuthorityCustomer, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 24.5.2 34.6.2 and provide to the Authority Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”) without the Approval of the Framework Authority). If, after the Framework Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation Variation to the Authority Customer which, if it is agreed by the AuthorityCustomer, shall be dealt with in accordance with Clause 16.1 (the Variation Procedure) Procedure and Clauses 24.5.3(b34.6.3(b) to 24.5.3(d34.6.3(c); the Supplier shall set out in its proposal to the Authority Customer for a Variation, Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the AuthorityCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Authoritythen-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Authority Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Authority Customer on such terms as may be required by the AuthorityCustomer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Authority Customer and the Supplier Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Authority Customer to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement Call Off Contract in such a way as to cause the Authority Customer to breach any of the AuthorityCustomer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework AgreementCall Off Contract, the Parties acknowledge that the Authority Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Authority Customer to perform its obligations under this Framework AgreementCall Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 46 (Security Requirements) and 46.1.5 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Authority Customer (save where such disclosure or transfer is specifically authorised under this Framework Agreement); Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 24.5.2 47.1.11 and Clause 24.2 Clauses 46 (Security Requirements), 46.1.5 (Protection of Customer Data) and 46.1.13(c) (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority Customer or as otherwise permitted by this Framework AgreementCall Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Authority Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the AuthorityCustomer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Authority Customer with full cooperation and assistance (within the timescales reasonably required by the AuthorityCustomer) in relation to any complaint, communication or request made (as referred to at Clause 24.5.2(e47.1.11(e)), including by promptly providing: the Authority Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Authority Customer to enable the Authority Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the AuthorityCustomer, on request by the AuthorityCustomer, with any Personal Data it holds in relation to a Data Subject; and if requested by the AuthorityCustomer, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 24.5.2 47.1.11 and provide to the Authority Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “a Restricted Countries”) without the Approval of the Framework AuthorityCountry. If, after the Framework Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation Variation to the Authority Customer which, if it is agreed by the AuthorityCustomer, shall be dealt with in accordance with Clause 16.1 (the Variation Procedure) Procedure and Clauses 24.5.3(b47.1.12(b) to 24.5.3(d47.1.12(c); the Supplier shall set out in its proposal to the Authority Customer for a Variation, Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the AuthorityCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Authoritythen-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Authority Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Authority Customer on such terms as may be required by the AuthorityCustomer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Authority Customer and the Supplier Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Authority Customer to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement Call Off Contract in such a way as to cause the Authority Customer to breach any of the AuthorityCustomer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework AgreementCall Off Contract, the Parties acknowledge that the Authority Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Authority Customer to perform its obligations under this Framework AgreementCall Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses (Security Requirements) and (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Authority Customer (save where such disclosure or transfer is specifically authorised under this Framework Agreement); Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 24.5.2 39.1.31 and Clause 24.2 Clauses (Security Requirements), (Protection of Customer Data) and (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority Customer or as otherwise permitted by this Framework AgreementCall Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Authority Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the AuthorityCustomer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Authority Customer with full cooperation and assistance (within the timescales reasonably required by the AuthorityCustomer) in relation to any complaint, communication or request made (as referred to at Clause 24.5.2(e39.(e)), including by promptly providing: the Authority Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Authority Customer to enable the Authority Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the AuthorityCustomer, on request by the AuthorityCustomer, with any Personal Data it holds in relation to a Data Subject; and if requested by the AuthorityCustomer, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 24.5.2 39.1.31 and provide to the Authority Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “a Restricted Countries”) without the Approval of the Framework AuthorityCountry. If, after the Framework Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation Variation to the Authority Customer which, if it is agreed by the AuthorityCustomer, shall be dealt with in accordance with Clause 16.1 (the Variation Procedure) Procedure and Clauses 24.5.3(b39.(b) to 24.5.3(d39.(c); the Supplier shall set out in its proposal to the Authority Customer for a Variation, Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the AuthorityCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Authoritythen-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Authority Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Authority Customer on such terms as may be required by the AuthorityCustomer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Authority Customer and the Supplier Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Authority Customer to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement Call Off Contract in such a way as to cause the Authority Customer to breach any of the AuthorityCustomer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework AgreementCall Off Contract, the Parties acknowledge that the Authority Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Authority Customer to perform its obligations under this Framework AgreementCall Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 24.1 (Security Requirements) and 24.2 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Authority Customer (save where such disclosure or transfer is specifically authorised under this Framework Agreement); Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 24.5.2 24.6.2 and Clause Clauses 24.1 (Security Requirements), 24.2 (Protection of Customer Data) and 24.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority Customer or as otherwise permitted by this Framework AgreementCall Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Authority Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the AuthorityCustomer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Authority Customer with full cooperation and assistance (within the timescales reasonably required by the AuthorityCustomer) in relation to any complaint, communication or request made (as referred to at Clause 24.5.2(e24.6.2(e)), including by promptly providing: the Authority Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Authority Customer to enable the Authority Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the AuthorityCustomer, on request by the AuthorityCustomer, with any Personal Data it holds in relation to a Data Subject; and if requested by the AuthorityCustomer, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 24.5.2 24.6.2 and provide to the Authority Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”) without the Approval of the Framework Authority). If, after the Framework Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation Variation to the Authority Customer which, if it is agreed by the AuthorityCustomer, shall be dealt with in accordance with Clause 16.1 (the Variation Procedure) Procedure and Clauses 24.5.3(b24.6.3(b) to 24.5.3(d24.6.3(c); the Supplier shall set out in its proposal to the Authority Customer for a Variation, Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; and how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the AuthorityCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Authoritycurrent Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Authority Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Authority on such terms as may be required by the Authority; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Authority and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Authority to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of the Authority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.:

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework AgreementCall-Off Contract, the Parties acknowledge that the Authority Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Authority Customer to perform its obligations under this Framework AgreementCall-Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 31.1 (Security Requirements) and 31.2 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Authority Customer (save where such disclosure or transfer is specifically authorised under this Framework Agreement); Call-Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 24.5.2 31.6.2 and Clause 24.2 Clauses 31.1 (Security Requirements),31.2 (Protection of Customer Data) and 31.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority Customer or as otherwise permitted by this Framework AgreementCall-Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Authority Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the AuthorityCustomer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Authority Customer with full cooperation and assistance (within the timescales reasonably required by the AuthorityCustomer) in relation to any complaint, communication or request made (as referred to at Clause 24.5.2(e), 31.6.2(e) including by promptly providing: the Authority Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Authority Customer to enable the Authority Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the AuthorityCustomer, on request by the AuthorityCustomer, with any Personal Data it holds in relation to a Data Subject; and if requested by the AuthorityCustomer, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 24.5.2 31.6.2 and provide to the Authority Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”) without the Approval of the Framework Authority). If, after the Framework Call-Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation Variation to the Authority Customer which, if it is agreed by the AuthorityCustomer, shall be dealt with in accordance with Clause 16.1 (the Variation Procedure) Procedure and Clauses 24.5.3(b31.6.3(b) to 24.5.3(d31.6.3(c); the Supplier shall set out in its proposal to the Authority Customer for a Variation, Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the AuthorityCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Authoritythen-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Authority Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement Call-Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Authority Customer on such terms as may be required by the AuthorityCustomer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Authority Customer and the Supplier Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Authority Customer to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement Call-Off Contract in such a way as to cause the Authority Customer to breach any of the AuthorityCustomer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework AgreementCall Off Contract, the Parties acknowledge that the Authority Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Authority Customer to perform its obligations under this Framework AgreementCall Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 32.1 (Security Requirements) and 32.2 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Authority Customer (save where such disclosure or transfer is specifically authorised under this Framework Agreement); Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 24.5.2 32.6.2 and Clause 24.2 Clauses 32.1 (Security Requirements), 32.2 (Protection of Customer Data) and 32.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority Customer or as otherwise permitted by this Framework AgreementCall Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Authority Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the AuthorityCustomer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Authority Customer with full cooperation and assistance (within the timescales reasonably required by the AuthorityCustomer) in relation to any complaint, communication or request made (as referred to at Clause 24.5.2(e32.6.2(e)), including by promptly providing: the Authority Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Authority Customer to enable the Authority Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the AuthorityCustomer, on request by the AuthorityCustomer, with any Personal Data it holds in relation to a Data Subject; and if requested by the AuthorityCustomer, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 24.5.2 32.6.2 and provide to the Authority Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”) without the Approval of the Framework Authority). If, after the Framework Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation Variation to the Authority Customer which, if it is agreed by the AuthorityCustomer, shall be dealt with in accordance with Clause 16.1 (the Variation Procedure) Procedure and Clauses 24.5.3(b32.6.3(b) to 24.5.3(d32.6.3(c); the Supplier shall set out in its proposal to the Authority Customer for a Variation, Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the AuthorityCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Authoritythen-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Authority Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Authority Customer on such terms as may be required by the AuthorityCustomer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Authority Customer and the Supplier Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Authority Customer to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement Call Off Contract in such a way as to cause the Authority Customer to breach any of the AuthorityCustomer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework AgreementCall Off Contract, the Parties acknowledge that the Authority Customer is the Data Controller and that the Supplier is the Data Processor. Notwithstanding clause 34.5.1 the Supplier shall comply with its obligations under the DPA. The Supplier shall: Process the Personal Data only in accordance with instructions from the Authority Customer to perform its obligations under this Framework AgreementCall Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 (Security Requirements) and 34.2 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Authority Customer (save where such disclosure or transfer is specifically authorised under this Framework Agreement); Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 24.5.2 34.5.3 and Clause 24.2 Clauses 34.1 (Security Requirements), 34.2 (Protection of Customer Data) and 34.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority Customer or as otherwise permitted by this Framework AgreementCall Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Authority Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the AuthorityCustomer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Authority Customer with full cooperation and assistance (within the timescales reasonably required by the AuthorityCustomer) in relation to any complaint, communication or request made (as referred to at Clause 24.5.2(e34.(e)), including by promptly providing: the Authority Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Authority Customer to enable the Authority Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the AuthorityCustomer, on request by the AuthorityCustomer, with any Personal Data it holds in relation to a Data Subject; and if requested by the AuthorityCustomer, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 24.5.2 34.5.3 and provide to the Authority Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “a Restricted Countries”) without the Approval of the Framework AuthorityCountry. If, after the Framework Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation Variation to the Authority Customer which, if it is agreed by the AuthorityCustomer, shall be dealt with in accordance with Clause 16.1 (the Variation Procedure) Procedure and Clauses 24.5.3(b34.(b) to 24.5.3(d34.(c); the Supplier shall set out in its proposal to the Authority Customer for a Variation, Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the AuthorityCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Authoritythen-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Authority Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Authority Customer on such terms as may be required by the AuthorityCustomer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Authority Customer and the Supplier Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Authority Customer to comply with any obligations under the DPA and DPA. The Supplier shall not perform its obligations under this Framework Agreement Call Off Contract in such a way as to cause the Authority Customer to breach any of the AuthorityCustomer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework AgreementContract , the Parties acknowledge that the Authority Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Authority Customer to perform its obligations under this Framework AgreementContract ; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 (Security Requirements) and 34.2 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Authority Customer (save where such disclosure or transfer is specifically authorised under this Framework Agreement); Contract ) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s Suppliers duties under this Clause 24.5.2 34.6.2 and Clause 24.2 Clauses 34.1 (Security Requirements), 34.2 (Protection of Customer Data) and 34.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority Customer or as otherwise permitted by this Framework AgreementContract ; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Authority Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the AuthorityCustomer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Authority Customer with full cooperation and assistance (within the timescales reasonably required by the AuthorityCustomer) in relation to any complaint, communication or request made (as referred to at Clause 24.5.2(e34.6.2(e)), including by promptly providing: the Authority Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Authority Customer to enable the Authority Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the AuthorityCustomer, on request by the AuthorityCustomer, with any Personal Data it holds in relation to a Data Subject; and if requested by the AuthorityCustomer, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 24.5.2 34.6.2 and provide to the Authority Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”) without the Approval of the Framework Authority). If, after the Framework Contract Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation Variation to the Authority Customer which, if it is agreed by the AuthorityCustomer, shall be dealt with in accordance with Clause 16.1 (the Variation Procedure) Procedure and Clauses 24.5.3(b34.6.3(b) to 24.5.3(d34.6.3(c); the Supplier shall set out in its proposal to the Authority Customer for a Variation, Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the AuthorityCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Authoritythen-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Authority Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Authority Customer on such terms as may be required by the AuthorityCustomer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Authority Customer and the Supplier Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Authority Customer to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement Contract in such a way as to cause the Authority Customer to breach any of the AuthorityCustomer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework AgreementCall Off Contract, the Parties acknowledge that the Authority Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Authority Customer to perform its obligations under this Framework AgreementCall Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 36.1 (Security Requirements) and 36.2 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Authority Customer (save where such disclosure or transfer is specifically authorised under this Framework Agreement); Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 24.5.2 36.5.2 and Clause 24.2 Clauses 36.1 (Security Requirements), 36.2 (Protection of Customer Data) and 36.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority Customer or as otherwise permitted by this Framework AgreementCall Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Authority Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the AuthorityCustomer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Authority Customer with full cooperation and assistance (within the timescales reasonably required by the AuthorityCustomer) in relation to any complaint, communication or request made (as referred to at Clause 24.5.2(e36.5.2(e)), including by promptly providing: the Authority Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Authority Customer to enable the Authority Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the AuthorityCustomer, on request by the AuthorityCustomer, with any Personal Data it holds in relation to a Data Subject; and if requested by the AuthorityCustomer, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 24.5.2 36.5.2 and provide to the Authority Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “a Restricted Countries”) without the Approval of the Framework AuthorityCountry. If, after the Framework Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation Variation to the Authority Customer which, if it is agreed by the AuthorityCustomer, shall be dealt with in accordance with Clause 16.1 (the Variation Procedure) Procedure and Clauses 24.5.3(b36.5.3(b) to 24.5.3(d36.5.3(c); the Supplier shall set out in its proposal to the Authority Customer for a Variation, Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the AuthorityCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Authoritythen-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Authority Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Authority Customer on such terms as may be required by the AuthorityCustomer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Authority Customer and the Supplier Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Authority Customer to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement Call Off Contract in such a way as to cause the Authority Customer to breach any of the AuthorityCustomer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework AgreementCall Off Contract, the Parties acknowledge that the Authority Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Authority Customer to perform its obligations under this Framework AgreementCall Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 (Security Requirements) and 34.2 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or and Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Authority Customer (save where such disclosure or transfer is specifically authorised under this Framework Agreement); Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 24.5.2 34.6.2 and Clause 24.2 Clauses 34.1 (Security Requirements), 34.2 (Protection of Customer Data) and 34.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority Customer or as otherwise permitted by this Framework AgreementCall Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Authority Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the AuthorityCustomer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Authority Customer with full cooperation and assistance (within the timescales reasonably required by the AuthorityCustomer) in relation to any complaint, communication or request made (as referred to at Clause 24.5.2(e34.6.2(e)), including by promptly providing: the Authority Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Authority Customer to enable the Authority Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the AuthorityCustomer, on request by the AuthorityCustomer, with any Personal Data it holds in relation to a Data Subject; and if requested by the AuthorityCustomer, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 24.5.2 34.6.2 and provide to the Authority Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”) without the Approval of the Framework Authority). If, after the Framework Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation Variation to the Authority Customer which, if it is agreed by the AuthorityCustomer, shall be dealt with in accordance with Clause 16.1 (the Variation Procedure) Procedure and Clauses 24.5.3(b34.6.3(b) to 24.5.3(d34.6.3(c); the Supplier shall set out in its proposal to the Authority Customer for a Variation, Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the AuthorityCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Authoritythen-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Authority Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Authority Customer on such terms as may be required by the AuthorityCustomer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Authority Customer and the Supplier Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Authority Customer to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement Call Off Contract in such a way as to cause the Authority Customer to breach any of the AuthorityCustomer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are is Processed in connection with the exercise of the Parties’ rights and obligations under this Framework the Commercial Agreement, the Parties acknowledge that the Authority is the Data Controller and that the Supplier is the Data Processor. The Supplier Supplier, including any Sub-Contractors shall: Process the Personal Data only in accordance with instructions from the Authority to perform its obligations under this Framework the Commercial Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Authority (save where such disclosure or transfer is specifically authorised under this Framework the Commercial Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 24.5.2 B14.2 and Clause 24.2 (Confidentiality)B11 above; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority or as otherwise permitted by this Framework the Commercial Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Authority within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Authority's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Authority with full cooperation and assistance (within the timescales reasonably required by the Authority) in relation to any complaint, communication or request made (as referred to at Clause 24.5.2(e)B14.2(e) above, including by promptly providing: the Authority with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Authority to enable the Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Authority, on request by the Authority, with any Personal Data it holds in relation to a Data Subject; and if requested by the Authority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 24.5.2 B14.2 and provide to the Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not not, without the consent of the Customer, Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together the “Restricted Countries”) without the Approval of the Framework Authority). If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic AreaArea (a “Restricted Data Transfer”) then, the following provisions shall applyapply in respect of such Restricted Data Transfer: the Supplier shall propose a variation inform the Customer that it wishes to the Authority which, if it is agreed Process or transfer Personal Data controlled by the Authority, shall be dealt with Customer in accordance with Clause 16.1 (Variation Procedure) and Clauses 24.5.3(b) or to 24.5.3(d)a Restricted Country; the Supplier shall set out in its proposal provide to the Authority for Customer, the following details relating to the Restricted Data Transfer in writing (a Variation, details of the following: “Data Transfer Notice”): the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors Contractor or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; and how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the AuthorityCustomer’s compliance with the DPA; in providing and evaluating the VariationData Transfer Notice, the Parties shall ensure that they have regard to and comply with the AuthorityCustomer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Authority Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework the Commercial Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Authority Customer on such terms as may be required by the AuthorityCustomer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Authority Customer and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority Customer deems necessary for the purpose of protecting Personal Data. Upon receipt of a Data Transfer Notice, the Customer shall obtain approval from GSIRO in respect of the Restricted Data Transfer. If GSIRO and the Customer accept (i) the terms and information set out in the Data Transfer Notice; and (ii) the circumstances surrounding such proposed Restricted Data Transfer, then the Customer shall provide the Supplier with its written consent to such Restricted Data Transfer. However, if the requirement to seek GSIRO approval shall not apply if the Restricted Data Transfer relates to processing by an off shored third party service provider on an individual travel transactional basis (e.g., a Hotel outside the EEA). The Supplier will process the Customer’s Personal Identifiable Information (PII) and privacy related data in compliance with current UK legislation and in particular the Data Protection Act. Prior to completion of the Enabling Agreement the Supplier shall be required to support the Customer in obtaining the relevant Customer Data Controller’s approval. In support of this approval the Supplier shall be required to produce a Privacy Impact Assessment (PIA), to be agreed by the Customer before the Commencement Date of the Enabling Agreement. The Supplier shall use its reasonable endeavours to assist the Authority to comply with any obligations under the DPA and shall not perform its obligations under this Framework the Commercial Agreement in such a way as to cause the Authority to breach any of the Authority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Publicity and Branding The Supplier shall not: make any press announcements or publicise the Commercial Agreement in any way; or use the Authority's name or brand in any promotion or marketing or announcement, without Approval (the decision of the Authority to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in the Commercial Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Authority shall be entitled to publicise the Commercial Agreement in accordance with any legal obligation upon the Authority, including any examination of the Commercial Agreement by the National Audit Office pursuant to the National Audit Act 1983 or otherwise. All Publications The Supplier shall obtain the Authority's Approval prior to publishing any content in relation to the Commercial Agreement using any media, including on any electronic medium, if the content published requires updating the Supplier will ensure that such content is regularly maintained and updated. In the event that the Supplier fails to maintain or update the content, the Authority may give the Supplier notice to rectify the failure and if the failure is not rectified to the reasonable satisfaction of the Authority within one (1) Month of receipt of such notice, the Authority shall have the right to remove such content itself or require that the Supplier immediately arranges the removal of such content.