Common use of Protection of Personal Data Clause in Contracts

Protection of Personal Data. 18.1 With respect to the Parties' rights and obligations under the Contract, the Parties agree that the Authority is the Data Controller and that the Contractor is the Data Processor. 18.2 The Contractor shall: 18.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in the Contract or as otherwise notified by the Authority to the Contractor during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to time; 18.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security); 18.2.4 take reasonable steps to ensure the reliability of any Contractor’s Personnel who have access to the Personal Data; 18.2.5 obtain prior written consent from the Authority in order to transfer the Personal Data to any sub-contractors or affiliates for the provision of the Services; 18.2.6 ensure that all Contractor’s Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 18; 18.2.7 ensure that none of the Contractor’s Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority; 18.2.8 notify the Authority (within five Working Days) if it receives: 18.2.8.1 a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 a complaint or request relating to the Authority's obligations under the Data Protection Legislation; 18.2.9 provide the Authority with full co-operation and assistance in relation to any complaint or request made, including by: 18.2.9.1 providing the Authority with full details of the complaint or request; 18.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions; 18.2.9.3 providing the Authority with any Personal Data it holds in relation to a Data Subject, within the timescales required by the Authority; and 18.2.9.4 providing the Authority with any information requested by the Authority; 18.2.10 permit the Authority (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the Contractor's data Processing activities (and/or those of its Personnel) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Contractor is in full compliance with its obligations under the Contract; 18.2.11 provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and 18.2.12 not Process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: 18.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 any reasonable instructions notified to it by the Authority. 18.3 The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.

Protection of Personal Data. 18.1 With respect to the Parties' rights and obligations under the Contract, the Parties agree that the Authority is the Data Controller and that the Contractor is the Data Processor. 18.2 The Contractor shall: 18.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in the Contract or as otherwise notified by the Authority to the Contractor during the TermContract Period) and the Contractor shall at the very least comply with the provisions of Schedule E (the Information Security) and HM Government Security Framework as updated from time to timeSchedule; 18.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security); 18.2.4 take reasonable steps to ensure the reliability of any Contractor’s Personnel who have access to the Personal Data; 18.2.5 obtain prior written consent from the Authority in order to transfer the Personal Data to any sub-contractors or affiliates for the provision of the Services; 18.2.6 ensure that all Contractor’s Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 18; 18.2.7 ensure that none of the Contractor’s Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority; 18.2.8 notify the Authority (within five Working Days) if it receives: 18.2.8.1 a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 a complaint or request relating to the Authority's obligations under the Data Protection Legislation; 18.2.9 provide the Authority with full co-operation and assistance in relation to any complaint or request made, including by: 18.2.9.1 providing the Authority with full details of the complaint or request; 18.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions; 18.2.9.3 providing the Authority with any Personal Data it holds in relation to a Data Subject, within the timescales required by the Authority; and 18.2.9.4 providing the Authority with any information requested by the Authority; 18.2.10 permit the Authority (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the Contractor's data Processing activities (and/or those of its Personnel) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Contractor is in full compliance with its obligations under the Contract; 18.2.11 provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and 18.2.12 not Process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: 18.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 any reasonable instructions notified to it by the Authority. 18.3 The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.

Protection of Personal Data. 18.1 18.1. With respect to the Parties' rights and obligations under the Contract, the Parties agree that the Authority is the Data Controller and that the Contractor is the Data Processor. 18.2 18.2. The Contractor shall: 18.2.1 18.2.1. Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in the Contract or as otherwise notified by the Authority to the Contractor during the TermContract Period) and the Contractor shall at the very least comply with the provisions of Schedule E (the Information Security) and HM Government Security Framework as updated from time to timeSchedule; 18.2.2 18.2.2. Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 18.2.3. implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security); 18.2.4 18.2.4. take reasonable steps to ensure the reliability of any Contractor’s Personnel who have access to the Personal Data; 18.2.5 18.2.5. obtain prior written consent from the Authority in order to transfer the Personal Data to any sub-contractors or affiliates for the provision of the Services; 18.2.6 18.2.6. ensure that all Contractor’s Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 18; 18.2.7 18.2.7. ensure that none of the Contractor’s Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority; 18.2.8 18.2.8. notify the Authority (within five Working Days) if it receives: 18.2.8.1 18.2.8.1. a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 18.2.8.2. a complaint or request relating to the Authority's obligations under the Data Protection Legislation; 18.2.9 18.2.9. provide the Authority with full co-operation and assistance in relation to any complaint or request made, including by: 18.2.9.1 18.2.9.1. providing the Authority with full details of the complaint or request; 18.2.9.2 18.2.9.2. complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions; 18.2.9.3 18.2.9.3. providing the Authority with any Personal Data it holds in relation to a Data Subject, within the timescales required by the Authority; and 18.2.9.4 18.2.9.4. providing the Authority with any information requested by the Authority; 18.2.10 18.2.10. permit the Authority (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the Contractor's data Processing activities (and/or those of its Personnel) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Contractor is in full compliance with its obligations under the Contract; 18.2.11 18.2.11. provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and 18.2.12 18.2.12. not Process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: 18.2.12.1 18.2.12.1. the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 18.2.12.2. any reasonable instructions notified to it by the Authority. 18.3 18.3. The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.

Protection of Personal Data. 18.1 15.1 With respect to the Partiesparties' rights and obligations under the this Contract, the Parties parties agree that where there is Processing of Personal Data by the Authority SERVICE PROVIDER on behalf of the CUSTOMER, the CUSTOMER is the Data Controller and that the Contractor SERVICE PROVIDER is the Data ProcessorProcessor and accordingly this Clause 15 shall apply. 18.2 15.2 The Contractor SERVICE PROVIDER shall: 18.2.1 15.2.1 Process the Personal Data only in accordance with instructions from the Authority CUSTOMER (which may be specific instructions or instructions of a general nature as set out in the this Contract or as otherwise notified by the Authority CUSTOMER to the Contractor SERVICE PROVIDER during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to time); 18.2.2 15.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services Ordered IT Solutions or as is required by Law or any Regulatory Body; 18.2.3 15.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 15.2.4 take reasonable steps to ensure the reliability of any Contractor’s SERVICE PROVIDER Personnel who have access to the Personal Data; 18.2.5 15.2.5 obtain prior written consent from the Authority CUSTOMER in order to transfer the Personal Data to any subSub-contractors Contractors or affiliates Affiliates for the provision of the ServicesOrdered IT Solutions; 18.2.6 15.2.6 ensure that all Contractor’s SERVICE PROVIDER Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 18Clause 15; 18.2.7 15.2.7 ensure that none of the Contractor’s SERVICE PROVIDER Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCUSTOMER; 18.2.8 15.2.8 notify the Authority CUSTOMER (within five (5) Working Days) if it receives: 18.2.8.1 15.2.8.1 a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 15.2.8.2 a complaint or request relating to the AuthorityCUSTOMER's obligations under the Data Protection Legislation; 18.2.9 15.2.9 provide the Authority CUSTOMER with full co-operation cooperation and assistance in relation to any complaint or request made, including by: 18.2.9.1 15.2.9.1 providing the Authority CUSTOMER with full details of the complaint or request; 18.2.9.2 15.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the AuthorityCUSTOMER's instructions; 18.2.9.3 15.2.9.3 providing the Authority CUSTOMER with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the AuthorityCUSTOMER); and 18.2.9.4 15.2.9.4 providing the Authority CUSTOMER with any information requested by the AuthorityCUSTOMER; 18.2.10 15.2.10 permit the Authority CUSTOMER or the its nominated representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25Clause 35, the ContractorSERVICE PROVIDER's data Processing activities (and/or those of its Personnelagents, subsidiaries and Sub- Contractors) and comply with all reasonable requests or directions by the Authority CUSTOMER to enable the Authority CUSTOMER to verify and/or procure that the Contractor SERVICE PROVIDER is in full compliance with its obligations under the this Contract; 18.2.11 15.2.11 provide a written description of the technical and organisational methods employed by the Contractor SERVICE PROVIDER for processing Personal Data (within the timescales required by the AuthorityCUSTOMER); and 18.2.12 15.2.12 not Process or otherwise transfer any Personal Data outside the European Economic Area without Area. If, after the prior written consent of Effective Date, the Authority and, where the Authority consents SERVICE PROVIDER (or any Sub-Contractor) wishes to a transfer, to comply with: 18.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to Process and/or transfer any Personal Data that is transferred; andoutside the European Economic Area, the following provisions shall apply: 18.2.12.2 any reasonable instructions notified 15.2.12.1 the SERVICE PROVIDER shall submit an Contract Change Note to it by the Authority. 18.3 The Contractor CUSTOMER which shall comply at all times be dealt with in accordance with the Data Protection Legislation Contract Change Procedure and shall not perform its obligations under the Contract in such a way as Clauses 15.2.12.2 to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.15.2.12.4 below;

Protection of Personal Data. 18.1 20.5.1 With respect to the Partiesparties' rights and obligations under the this Contract, the Parties parties agree that the Authority Customer is the Data Controller and that the Contractor Supplier is the Data Processor. 18.2 20.5.2 The Contractor Supplier shall: 18.2.1 20.5.2.1 Process the Personal Data only in accordance with instructions from the Authority Customer (which may be specific instructions or instructions of a general nature as set out in the this Contract or as otherwise notified by the Authority Customer to the Contractor Supplier during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to timeContract Period); 18.2.2 20.5.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 20.5.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 20.5.2.4 take reasonable steps to ensure the reliability of any Contractor’s Personnel Staff who have access to the Personal Data; 18.2.5 20.5.2.5 obtain prior written consent from the Authority Approval in order to transfer the Personal Data to any subSub-contractors or affiliates Affiliates for the provision of the Services; 18.2.6 20.5.2.6 ensure that all Contractor’s Personnel Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 1820.5; 18.2.7 20.5.2.7 ensure that none of the Contractor’s Personnel Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCustomer; 18.2.8 20.5.2.8 notify the Authority Customer (within five (5) Working Days) if it receives: 18.2.8.1 (a) a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 (b) a complaint or request relating to the AuthorityCustomer's obligations under the Data Protection Legislation; 18.2.9 20.5.2.9 provide the Authority Customer with full co-operation cooperation and assistance in relation to any complaint or request made, including by: 18.2.9.1 (a) providing the Authority Customer with full details of the complaint or request; 18.2.9.2 (b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the AuthorityCustomer's instructions; 18.2.9.3 (c) providing the Authority Customer with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the AuthorityCustomer); and 18.2.9.4 (d) providing the Authority Customer with any information requested by the AuthorityCustomer; 18.2.10 20.5.2.10 permit the Authority Customer or the Customer Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the ContractorSupplier's data Processing activities (and/or those of its Personnelagents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Authority Customer to enable the Authority Customer to verify and/or procure that the Contractor Supplier is in full compliance with its obligations under the this Contract; 18.2.11 20.5.2.11 provide a written description of the technical and organisational methods employed by the Contractor Supplier for processing Personal Data (within the timescales required by the AuthorityCustomer); and 18.2.12 20.5.2.12 not Process or otherwise transfer any Personal Data outside the European Economic Area. If, after the Commencement Date, the Supplier (or any Sub- contractor) wishes to Process and/or transfer any Personal Data outside the European Economic Area, the following provisions shall apply: (a) the Supplier shall submit a request for Variation to the Customer which shall be dealt with in accordance with the Variation Procedure and paragraph (b) to (d) below; (b) the Supplier shall set out in its request for a Variation details of the following: (i) the Personal Data which will be Processed and/or transferred outside the European Economic Area; (ii) the country or countries in which the Personal Data will be Processed and/or to which the Personal Data will be transferred outside the European Economic Area; (iii) any Sub-contractors or other third parties who will be Processing and/or transferring Personal Data outside the European Economic Area; and (iv) how the Supplier will ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Customer‟s compliance with the Data Protection Legislation) in respect of the Personal Data that will be Processed and/or transferred outside the European Economic Area; (c) in providing and evaluating the request for Variation, the parties shall ensure that they have regard to and comply with then-current Customer, Government and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the European Economic Area without and/or overseas generally; and (d) the prior written consent of Supplier shall comply with such other instructions and shall carry out such other actions as the Authority andCustomer may notify in writing, where the Authority consents to a transfer, to comply withincluding: 18.2.12.1 (i) incorporating standard and/or model clauses (which are approved by the obligations of a Data Controller European Commission as offering adequate safeguards under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferredLegislation) in this Contract or a separate data processing agreement between the parties; and 18.2.12.2 (ii) procuring that any reasonable instructions notified to it Sub-contractor or other third party who will be Processing and/or transferring the Personal Data outside the European Economic Area enters into a direct data processing agreement with the Customer on such terms as may be required by the AuthorityCustomer, which the Supplier acknowledges may include the incorporation of standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation). 18.3 20.5.3 The Contractor Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the this Contract in such a way as to cause the Authority Customer to breach any of its applicable obligations under the Data Protection Legislation.

Protection of Personal Data. 18.1 With respect to 12.1 THE COLLEGE shall be registered under the Parties' rights DPA and both Parties will duly observe all of their applicable obligations under the ContractDPA, the Parties agree that the Authority is the Data Controller and that the Contractor is the Data Processorwhich arise in connection with THE EFA Conditions of Funding. 18.2 12.2 The Contractor shall: 18.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in the Contract or as otherwise notified by the Authority to the Contractor during the Term) and the Contractor Parties shall at the very least all times comply with their applicable obligations under the provisions of Schedule E (Information Security) DPA and HM Government Security Framework all subordinate and related legislation as updated enacted from time to time; 18.2.2 Process . Both Parties acknowledge that they are Data Controllers in common of the Personal Data only to collected and held by THE COLLEGE in performing the extentServices. 12.3 Notwithstanding the general obligation in part two clause 12.1, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body;THE COLLEGE shall: 18.2.3 12.3.1 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 12.3.2 take reasonable steps to ensure the reliability of any Contractor’s Personnel Staff who have access to the Personal Data; 18.2.5 obtain prior written consent from the Authority in order to transfer the Personal Data to any sub-contractors or affiliates for the provision of the Services; 18.2.6 12.3.3 ensure that all Contractor’s Personnel Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the applicable obligations set out in this clause 18EFA Conditions of Funding; 18.2.7 12.3.4 ensure that none of the Contractor’s Personnel Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authorityauthorised; 18.2.8 notify the Authority (within five Working Days) if it receives: 18.2.8.1 a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 a complaint or request relating to the Authority's obligations under the Data Protection Legislation; 18.2.9 12.3.5 provide the Authority THE EFA with full co-operation cooperation and assistance in relation to any complaint or request madethat THE EFA receives about Personal Data, including by: 18.2.9.1 providing the Authority with full details of the complaint or request; 18.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions; 18.2.9.3 (a) providing the Authority THE EFA with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the AuthorityTHE EFA) to assist THE EFA to respond to a data access request that THE EFA has received; and 18.2.9.4 (b) providing the Authority THE EFA with any information requested by the AuthorityTHE EFA; 18.2.10 12.3.6 permit the Authority THE EFA or THE EFA’s representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the Contractoraudit THE COLLEGE's data Data Processing activities (and/or those of its Personnelagents, subsidiaries and sub-contractors) and comply with all reasonable requests or directions by the Authority THE EFA to enable the Authority THE EFA to verify and/or procure that the Contractor THE COLLEGE is in full compliance with its obligations under the Contractthis EFA Conditions of Funding; 18.2.11 provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and 18.2.12 not Process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: 18.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 any reasonable instructions notified to it by the Authority. 18.3 The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.

Protection of Personal Data. 18.1 18.3.1 With respect to the Partiesparties' rights and obligations under the Contractthis Agreement, the Parties parties agree that the Authority CPS is the Data Controller and that the Contractor is the Data Processor. 18.2 18.3.2 The Contractor shall: 18.2.1 18.3.3 Process the Personal Data only in accordance with instructions from the Authority CPS (which may be specific instructions or instructions of a general nature as set out in the Contract this Agreement or as otherwise notified by the Authority CPS to the Contractor during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to time); 18.2.2 18.3.4 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 implement 18.3.5 Implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 take 18.3.6 Take reasonable steps to ensure the reliability of any Contractor’s Contractor Personnel who have access to the Personal Data; 18.2.5 obtain 18.3.7 Obtain prior written consent from the Authority CPS in order to transfer the Personal Data to any subSub-contractors or affiliates Affiliates for the provision of the Services; 18.2.6 ensure 18.3.8 Ensure that all Contractor’s Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 18.; 18.2.7 ensure 18.3.9 Ensure that none of the Contractor’s Contractor Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCPS; 18.2.8 notify 18.3.10 Notify the Authority CPS within 5 (within five five) Working Days) Days if it receives: 18.2.8.1 a 18.3.10.1 A request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 a 18.3.10.2 A complaint or request relating to the Authority's CPS’ obligations under the Data Protection Legislation; 18.2.9 18.3.11 provide the Authority CPS with full co-operation cooperation and assistance in relation to any complaint or request made, including by: 18.2.9.1 18.3.11.1 providing the Authority CPS with full details of the complaint or request; 18.2.9.2 18.3.11.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's CPS’ instructions; 18.2.9.3 18.3.11.3 providing the Authority CPS with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the AuthorityCPS); and 18.2.9.4 18.3.11.4 providing the Authority CPS with any information requested by the AuthorityCPS; 18.2.10 18.3.12 permit the Authority CPS or the CPS Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25(Audits), the Contractor's data Processing activities (and/or those of its Personnelagents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Authority CPS to enable the Authority CPS to verify and/or procure that the Contractor is in full compliance with its obligations under the Contractthis Agreement; 18.2.11 provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and 18.2.12 not Process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: 18.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 any reasonable instructions notified to it by the Authority. 18.3 The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.

Protection of Personal Data. 18.1 20.5.1 With respect to the Partiesparties' rights and obligations under the this Contract, the Parties parties agree that the Authority Customer is the Data Controller and that the Contractor Supplier is the Data Processor. 18.2 20.5.2 The Contractor Supplier shall: 18.2.1 20.5.2.1 Process the Personal Data only in accordance with instructions from the Authority Customer (which may be specific instructions or instructions of a general nature as set out in the this Contract or as otherwise notified by the Authority Customer to the Contractor Supplier during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to timeContract Period); 18.2.2 20.5.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 20.5.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 20.5.2.4 take reasonable steps to ensure the reliability of any Contractor’s Personnel Staff who have access to the Personal Data; 18.2.5 20.5.2.5 obtain prior written consent from the Authority Approval in order to transfer the Personal Data to any subSub-contractors or affiliates Affiliates for the provision of the Services; 18.2.6 20.5.2.6 ensure that all Contractor’s Personnel Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 1820.5; 18.2.7 20.5.2.7 ensure that none of the Contractor’s Personnel Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCustomer; 18.2.8 20.5.2.8 notify the Authority Customer (within five (5) Working Days) if it receives: 18.2.8.1 (a) a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 (b) a complaint or request relating to the AuthorityCustomer's obligations under the Data Protection Legislation; 18.2.9 20.5.2.9 provide the Authority Customer with full co-operation cooperation and assistance in relation to any complaint or request made, including by: 18.2.9.1 (a) providing the Authority Customer with full details of the complaint or request; 18.2.9.2 (b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the AuthorityCustomer's instructions; 18.2.9.3 (c) providing the Authority Customer with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the AuthorityCustomer); and 18.2.9.4 (d) providing the Authority Customer with any information requested by the AuthorityCustomer; 18.2.10 20.5.2.10 permit the Authority Customer or the Customer Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the ContractorSupplier's data Processing activities (and/or those of its Personnelagents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Authority Customer to enable the Authority Customer to verify and/or procure that the Contractor Supplier is in full compliance with its obligations under the this Contract; 18.2.11 20.5.2.11 provide a written description of the technical and organisational methods employed by the Contractor Supplier for processing Personal Data (within the timescales required by the AuthorityCustomer); and 18.2.12 20.5.2.12 not Process or otherwise transfer any Personal Data outside the European Economic Area. If, after the Commencement Date, the Supplier (or any Sub- contractor) wishes to Process and/or transfer any Personal Data outside the European Economic Area, the following provisions shall apply: (a) the Supplier shall submit a request for Variation to the Customer which shall be dealt with in accordance with the Variation Procedure and paragraph (b) to (d) below; (b) the Supplier shall set out in its request for a Variation details of the following: (i) the Personal Data which will be Processed and/or transferred outside the European Economic Area; (ii) the country or countries in which the Personal Data will be Processed and/or to which the Personal Data will be transferred outside the European Economic Area; (iii) any Sub-contractors or other third parties who will be Processing and/or transferring Personal Data outside the European Economic Area; and (iv) how the Supplier will ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Customer’s compliance with the Data Protection Legislation) in respect of the Personal Data that will be Processed and/or transferred outside the European Economic Area; (c) in providing and evaluating the request for Variation, the parties shall ensure that they have regard to and comply with then-current Customer, Government and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the European Economic Area without and/or overseas generally; and (d) the prior written consent of Supplier shall comply with such other instructions and shall carry out such other actions as the Authority andCustomer may notify in writing, where the Authority consents to a transfer, to comply withincluding: 18.2.12.1 (i) incorporating standard and/or model clauses (which are approved by the obligations of a Data Controller European Commission as offering adequate safeguards under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferredLegislation) in this Contract or a separate data processing agreement between the parties; and 18.2.12.2 (ii) procuring that any reasonable instructions notified to it Sub-contractor or other third party who will be Processing and/or transferring the Personal Data outside the European Economic Area enters into a direct data processing agreement with the Customer on such terms as may be required by the AuthorityCustomer, which the Supplier acknowledges may include the incorporation of standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation). 18.3 20.5.3 The Contractor Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the this Contract in such a way as to cause the Authority Customer to breach any of its applicable obligations under the Data Protection Legislation.

Protection of Personal Data. 18.1 24.5.1 With respect to the Partiesparties' rights and obligations under the this Contract, the Parties parties agree that the Authority Customer is the Data Controller and that the Contractor Supplier is the Data Processor. 18.2 24.5.2 The Contractor Supplier shall: 18.2.1 24.5.2.1 Process the Personal Data only in accordance with instructions from the Authority Customer (which may be specific instructions or instructions of a general nature as set out in the this Contract or as otherwise notified by the Authority Customer to the Contractor Supplier during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to timeContract Period); 18.2.2 24.5.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 24.5.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 24.5.2.4 take reasonable steps to ensure the reliability of any Contractor’s Personnel Staff who have access to the Personal Data; 18.2.5 24.5.2.5 obtain prior written consent from the Authority Approval in order to transfer the Personal Data to any subSub-contractors or affiliates for the provision of the Services; 18.2.6 24.5.2.6 ensure that all Contractor’s Personnel Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 1824.5; 18.2.7 24.5.2.7 ensure that none of the Contractor’s Personnel Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCustomer; 18.2.8 24.5.2.8 notify the Authority Customer (within five (5) Working Days) if it receives: 18.2.8.1 (a) a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 (b) a complaint or request relating to the AuthorityCustomer's obligations under the Data Protection Legislation; 18.2.9 24.5.2.9 provide the Authority Customer with full co-operation cooperation and assistance in relation to any complaint or request made, including by: 18.2.9.1 (a) providing the Authority Customer with full details of the complaint or request; 18.2.9.2 (b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the AuthorityCustomer's instructions; 18.2.9.3 (c) providing the Authority Customer with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the AuthorityCustomer); and 18.2.9.4 (d) providing the Authority Customer with any information requested by the AuthorityCustomer; 18.2.10 24.5.2.10 permit the Authority Customer or the Customer Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the ContractorSupplier's data Processing activities (and/or those of its Personnelagents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Authority Customer to enable the Authority Customer to verify and/or procure that the Contractor Supplier is in full compliance with its obligations under the this Contract; 18.2.11 24.5.2.11 provide a written description of the technical and organisational methods employed by the Contractor Supplier for processing Processing Personal Data (within the timescales required by the AuthorityCustomer); and 18.2.12 24.5.2.12 not Process or otherwise transfer any Personal Data outside the United Kingdom. If, after the Commencement Date, the Supplier (or any Sub-contractor) wishes to Process and/or transfer any Personal Data outside the United Kingdom, the following provisions shall apply: (a) the Supplier shall submit a request for variation to the Customer which shall be dealt with in accordance with the Variation Procedure and paragraph (b) to (d) below; (b) the Supplier shall set out in its request for a variation details of the following: (i) the Personal Data which will be Processed and/or transferred outside the United Kingdom; (ii) the country or countries in which the Personal Data will be Processed and/or to which the Personal Data will be transferred outside the United Kingdom; (iii) any Sub-contractors or other third parties who will be Processing and/or transferring Personal Data outside the United Kingdom; and (iv) how the Supplier will ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Customer’s compliance with the Data Protection Legislation) in respect of the Personal Data that will be Processed and/or transferred outside the United Kingdom ; (c) in providing and evaluating the request for variation, the parties shall ensure that they have regard to and comply with then- current Customer, Government and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the United Kingdom and/or overseas generally but, for the avoidance of doubt, the Customer may, in its absolute discretion, refuse to grant Approval of such Process and/or transfer any Personal Data outside the United Kingdom; and (d) the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including where the Supplier proposes to Process and/or transfer Personal Data outside of the European Economic Area: (i) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) in this Contract or a separate data Processing agreement between the parties; and (ii) procuring that any Sub-contractor or other third party who will be Processing and/or transferring the Personal Data outside the European Economic Area without enters into a direct data Processing agreement with the prior written consent Customer on such terms as may be required by the Customer, which the Supplier acknowledges may include the incorporation of standard and/or model clauses (which are approved by the Authority and, where the Authority consents to a transfer, to comply with: 18.2.12.1 the obligations of a Data Controller European Commission as offering adequate safeguards under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 any reasonable instructions notified to it by the AuthorityLegislation). 18.3 24.5.3 The Contractor Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the this Contract in such a way as to cause the Authority Customer to breach any of its applicable obligations under the Data Protection Legislation. 24.5.4 The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach). 24.5.5 The Supplier shall, at all times during and after the Contract Period, indemnify the Customer and keep the Customer indemnified against all losses, damages, costs or expenses and other liabilities (including legal fees) incurred by, awarded against or agreed to be paid by the Customer arising from any breach of the Supplier's obligations under this clause 24 except and to the extent that such liabilities have resulted directly from the Customer's instructions.

Protection of Personal Data. 18.1 With respect to The Parties acknowledge that for the Parties' rights and obligations under purposes of the ContractData Protection Legislation, the Parties agree that the Authority Customer is the Data Controller and that the Contractor Supplier is the Processor. The only processing that the Supplier is authorised to do is listed in Schedule 16 (Authorised Processing Template) by the Customer and may not be determined by the Supplier. The Supplier shall notify the Customer immediately if it considers that any of the Customer instructions infringe the Data Processor. 18.2 Protection Legislation. The Contractor Supplier shall provide all reasonable assistance to the Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Customer include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionalility of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Supplier shall: 18.2.1 , in relation to any Personal Data processed in connection with its obligations under this Contract: Process the that Personal Data only in accordance with instructions from Schedule 16 (Authorised Processing Template), unless the Authority (which may be specific instructions or instructions of a general nature as set out in Supplier is required to do otherwise by Law. If it is so required the Contract or as otherwise notified by Supplier shall promptly notify the Authority to the Contractor during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to time; 18.2.2 Process Customer before processing the Personal Data only unless prohibited by Law; ensure that it has in place Protective Measures which have been reviewed and approved by the Customer as appropriate to the extent, and in such manner, as is necessary for the provision protect against a Data Loss Event having taken account of the: nature of the Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 implement appropriate technical and organisational measures data to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the protected; harm which that might result from a Data Loss Event; state of technological development; and cost of implementing any unauthorised or unlawful Processing, accidental loss, destruction or damage to measures; ensure that: the Supplier Personnel do not process Personal Data and having regard to the nature of the Personal Data which is to be protected except in accordance with this Contract (and in any event the measures shall not be of a lesser standard than that set out in particular Schedule E 16 (Information SecurityAuthorised Processing Template); 18.2.4 take ); it takes all reasonable steps to ensure the reliability and integrity of any Contractor’s Supplier Personnel who have access to the Personal Data; 18.2.5 obtain prior written consent from the Authority in order to transfer the Personal Data to any sub-contractors or affiliates for the provision of the Services; 18.2.6 and ensure that all Contractorthey: are aware of and comply with the Supplier’s Personnel required duties under this Xxxxxx; are subject to access appropriate confidentiality undertakings with the Personal Data Supplier or any Sub-processor; are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 18; 18.2.7 ensure that none of the Contractor’s Personnel do not publish, disclose or divulge any of the Personal Data to any third party Party unless directed in writing to do so by the Authority; 18.2.8 notify Customer or as otherwise permitted by this Contract; and have undergone adequate training in the Authority (within five Working Days) if it receives: 18.2.8.1 a request from a Data Subject to have access to that person's use, care, protection and handling of Personal Data; or 18.2.8.2 a complaint or request relating to the Authority's obligations under the Data Protection Legislation; 18.2.9 provide the Authority with full co-operation and assistance in relation to any complaint or request made, including by: 18.2.9.1 providing the Authority with full details of the complaint or request; 18.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions; 18.2.9.3 providing the Authority with any Personal Data it holds in relation to a Data Subject, within the timescales required by the Authority; and 18.2.9.4 providing the Authority with any information requested by the Authority; 18.2.10 permit the Authority (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the Contractor's data Processing activities (and/or those of its Personnel) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Contractor is in full compliance with its obligations under the Contract; 18.2.11 provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and 18.2.12 not Process transfer Personal Data outside of the European Economic Area without EU unless the prior written consent of the Authority and, where Customer has been obtained and the Authority consents following conditions are fulfilled: the Customer or the Supplier has provided appropriate safeguards in relation to a transfer, to comply with: 18.2.12.1 the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Customer; the Data Subject has enforceable rights and effective legal remedies; the Supplier complies with its obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 Legislation by providing an adequate level of protection to any Personal Data that is transferredtransferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); and 18.2.12.2 and the Supplier complies with any reasonable instructions notified to it in advance by the Authority. 18.3 The Contractor shall comply Customer with respect to the processing of the Personal Data; at all times with the written direction of the Customer, delete or return Personal Data Protection Legislation (and shall not perform its obligations under any copies of it) to the Customer on termination of the Contract in such unless the Supplier is required by Law to retain the Personal Data. Subject to Clause 34.6.7, the Supplier shall notify the Customer immediately if it : Receives a way as Data Subject Access Request (or purported Data Subject Access Request); receives a request to cause the Authority rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to breach any of its applicable either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Contract; receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Loss Event. The Supplier’s obligation to notify under Clause 34.6.5 shall include the provision of further information to the Customer in phases, as details become available.

Protection of Personal Data. 18.1 23.5.1 With respect to the Parties' rights and obligations under the this Contract, the Parties agree that the Authority Customer is the Data Controller and that the Contractor Supplier is the Data Processor. 18.2 The Contractor shall: 18.2.1 23.5.2.1 Process the Personal Data only in accordance with instructions from the Authority Customer (which may be specific instructions or instructions of a general nature as set out in the this Contract or as otherwise notified by the Authority Customer to the Contractor Supplier during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to timeContract Period); 18.2.2 23.5.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services and Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 23.5.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 23.5.2.4 take reasonable steps to ensure the reliability of any Contractor’s Personnel Staff who have access to the Personal Data; 18.2.5 23.5.2.5 obtain prior written consent from the Authority Approval in order to transfer the Personal Data to any subSub-contractors or affiliates Affiliates for the provision of the ServicesServices and Goods; 18.2.6 23.5.2.6 ensure that all Contractor’s Personnel Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 1823.5; 18.2.7 23.5.2.7 ensure that none of the Contractor’s Personnel Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCustomer; 18.2.8 23.5.2.8 notify the Authority Customer (within five (5) Working Days) if it receives: 18.2.8.1 (a) a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 (b) a complaint or request relating to the AuthorityCustomer's obligations under the Data Protection Legislation; 18.2.9 23.5.2.9 provide the Authority Customer with full co-operation cooperation and assistance in relation to any complaint or request made, including by: 18.2.9.1 (a) providing the Authority Customer with full details of the complaint or request; 18.2.9.2 (b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the AuthorityCustomer's instructions; 18.2.9.3 (c) providing the Authority Customer with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the AuthorityCustomer); and 18.2.9.4 (d) providing the Authority Customer with any information requested by the Authority; 18.2.10 Customer; 23.5.2.10 permit the Authority Customer or the Customer Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the ContractorSupplier's data Processing activities (and/or those of its Personnelagents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Authority Customer to enable the Authority Customer to verify and/or procure that the Contractor Supplier is in full compliance with its obligations under the this Contract; 18.2.11 provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and 18.2.12 not Process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: 18.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 any reasonable instructions notified to it by the Authority. 18.3 The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.

Protection of Personal Data. 18.1 With respect to the Parties' rights and obligations under the Contract, the Parties agree that the Authority is the Data Controller and that the Contractor is the Data Processor. 18.2 The Contractor shall: 18.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in the Contract or as otherwise notified by the Authority to the Contractor during the TermContract Period) and the Contractor shall at the very least comply with the provisions of Schedule E (the Information Security) and HM Government Security Framework as updated from time to timeSchedule; 18.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 implement Implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security); 18.2.4 take Take reasonable steps to ensure the reliability of any Contractor’s Personnel who have access to the Personal Data; 18.2.5 obtain Obtain prior written consent from the Authority in order to transfer the Personal Data to any sub-contractors or affiliates for the provision of the Services; 18.2.6 ensure Ensure that all Contractor’s Contractors’ Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 18; 18.2.7 ensure Ensure that none of the Contractor’s Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority; 18.2.8 notify Notify the Authority (within five Working Days) if it receives: 18.2.8.1 a A request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 a A complaint or request relating to the Authority's obligations under the Data Protection Legislation; 18.2.9 provide Provide the Authority with full co-operation and assistance in relation to any complaint or request made, including by: 18.2.9.1 providing Providing the Authority with full details of the complaint or request; 18.2.9.2 complying Complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions; 18.2.9.3 providing the Authority with any Personal Data it holds in relation to a Data Subject, within the timescales required by the Authority; and 18.2.9.4 providing Providing the Authority with any information requested by the Authority; 18.2.10 permit the Authority (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the Contractor's data Processing activities (and/or those of its Personnel) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Contractor is in full compliance with its obligations under the Contract; 18.2.11 provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and 18.2.12 not Process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: 18.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 any Any reasonable instructions notified to it by the Authority. 18.3 The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.

Protection of Personal Data. 18.1 ‌ 18.3.1 With respect to the Partiesparties' rights and obligations under the Contractthis Agreement, the Parties parties agree that the Authority CPS is the Data Controller and that the Contractor is the Data Processor. 18.2 18.3.2 The Contractor shall: 18.2.1 18.3.3 Process the Personal Data only in accordance with instructions from the Authority CPS (which may be specific instructions or instructions of a general nature as set out in the Contract this Agreement or as otherwise notified by the Authority CPS to the Contractor during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to time); 18.2.2 18.3.4 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 implement 18.3.5 Implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 take 18.3.6 Take reasonable steps to ensure the reliability of any Contractor’s Contractor Personnel who have access to the Personal Data; 18.2.5 obtain 18.3.7 Obtain prior written consent from the Authority CPS in order to transfer the Personal Data to any subSub-contractors or affiliates Affiliates for the provision of the Services; 18.2.6 ensure 18.3.8 Ensure that all Contractor’s Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 1818.0; 18.2.7 ensure 18.3.9 Ensure that none of the Contractor’s Contractor Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCPS; 18.2.8 notify 18.3.10 Notify the Authority CPS within 5 (within five five) Working Days) Days if it receives: 18.2.8.1 a 18.3.10.1 A request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 a 18.3.10.2 A complaint or request relating to the Authority's CPS’ obligations under the Data Protection Legislation; 18.2.9 18.3.11 provide the Authority CPS with full co-operation cooperation and assistance in relation to any complaint or request made, including by: 18.2.9.1 18.3.11.1 providing the Authority CPS with full details of the complaint or request; 18.2.9.2 18.3.11.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's CPS’ instructions; 18.2.9.3 18.3.11.3 providing the Authority CPS with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the AuthorityCPS); and 18.2.9.4 18.3.11.4 providing the Authority CPS with any information requested by the AuthorityCPS; 18.2.10 18.3.12 permit the Authority CPS or the CPS Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25(Audits), the Contractor's data Processing activities (and/or those of its Personnelagents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Authority CPS to enable the Authority CPS to verify and/or procure that the Contractor is in full compliance with its obligations under the Contractthis Agreement; 18.2.11 provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and 18.2.12 not Process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: 18.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 any reasonable instructions notified to it by the Authority. 18.3 The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.

Protection of Personal Data. 18.1 19.5.1 With respect to the Partiesparties' rights and obligations under the this Contract, the Parties parties agree that the Authority Customer is the Data Controller and that the Contractor Supplier is the Data Processor. 18.2 19.5.2 The Contractor Supplier shall: 18.2.1 19.5.2.1 Process the Personal Data only in accordance with instructions from the Authority Customer (which may be specific instructions or instructions of a general nature as set out in the this Contract or as otherwise notified by the Authority Customer to the Contractor Supplier during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to timeContract Period); 18.2.2 19.5.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 19.5.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 19.5.2.4 take reasonable steps to ensure the reliability of any Contractor’s Personnel Staff who have access to the Personal Data; 18.2.5 19.5.2.5 obtain prior written consent from the Authority Approval in order to transfer the Personal Data to any subSub-contractors or affiliates Affiliates for the provision of the Services; 18.2.6 19.5.2.6 ensure that all Contractor’s Personnel Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 1819.5; 18.2.7 19.5.2.7 ensure that none of the Contractor’s Personnel Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCustomer; 18.2.8 19.5.2.8 notify the Authority Customer (within five (5) Working Days) if it receives: 18.2.8.1 (a) a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 (b) a complaint or request relating to the AuthorityCustomer's obligations under the Data Protection Legislation; 18.2.9 19.5.2.9 provide the Authority Customer with full co-operation cooperation and assistance in relation to any complaint or request made, including by: 18.2.9.1 (a) providing the Authority Customer with full details of the complaint or request; 18.2.9.2 (b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the AuthorityCustomer's instructions; 18.2.9.3 (c) providing the Authority Customer with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the AuthorityCustomer); and 18.2.9.4 (d) providing the Authority Customer with any information requested by the AuthorityCustomer; 18.2.10 19.5.2.10 permit the Authority Customer or the Customer Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the ContractorSupplier's data Processing activities (and/or those of its Personnelagents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Authority Customer to enable the Authority Customer to verify and/or procure that the Contractor Supplier is in full compliance with its obligations under the this Contract; 18.2.11 19.5.2.11 provide a written description of the technical and organisational methods employed by the Contractor Supplier for processing Personal Data (within the timescales required by the AuthorityCustomer); and 18.2.12 19.5.2.12 not Process or otherwise transfer any Personal Data outside the European Economic Area. If, after the Commencement Date, the Supplier (or any Sub-contractor) wishes to Process and/or transfer any Personal Data outside the European Economic Area, the following provisions shall apply: (a) the Supplier shall submit a request for Variation to the Customer which shall be dealt with in accordance with the Variation Procedure and paragraphs 19.5.2.12(b) to 19.5.2.12(d) below; (b) the Supplier shall set out in its request for a Variation details of the following: (i) the Personal Data which will be Processed and/or transferred outside the European Economic Area; (ii) the country or countries in which the Personal Data will be Processed and/or to which the Personal Data will be transferred outside the European Economic Area; (iii) any Sub-contractors or other third parties who will be Processing and/or transferring Personal Data outside the European Economic Area; and (c) how the Supplier will ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Customer’s compliance with the Data Protection Legislation) in respect of the Personal Data that will be Processed and/or transferred outside the European Economic Area (d) the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: (i) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) in this Contract or a separate data processing agreement between the parties; and (ii) procuring that any Sub-contractor or other third party who will be Processing and/or transferring the Personal Data outside the European Economic Area without enters into a direct data processing agreement with the prior written consent Customer on such terms as may be required by the Customer, which the Supplier acknowledges may include the incorporation of standard and/or model clauses (which are approved by the Authority and, where the Authority consents to a transfer, to comply with: 18.2.12.1 the obligations of a Data Controller European Commission as offering adequate safeguards under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 any reasonable instructions notified to it by the AuthorityLegislation). 18.3 19.5.3 The Contractor Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the this Contract in such a way as to cause the Authority Customer to breach any of its applicable obligations under the Data Protection Legislation.

Protection of Personal Data. 18.1 With respect to 12.1 The SFC shall be registered under the Parties' rights DPA and both Parties will duly observe all of their applicable obligations under the ContractDPA, which arise in connection with the Parties agree that the Authority is the Data Controller and that the Contractor is the Data ProcessorEFA Conditions of Funding. 18.2 12.2 The Contractor shall: 18.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in the Contract or as otherwise notified by the Authority to the Contractor during the Term) and the Contractor Parties shall at the very least all times comply with their applicable obligations under the provisions of Schedule E (Information Security) DPA and HM Government Security Framework all subordinate and related legislation as updated enacted from time to time; 18.2.2 Process . Both Parties acknowledge that they are Data Controllers in common of the Personal Data only to collected and held by the extentSFC in performing the Services. 12.3 Notwithstanding the general obligation in part two clause 12.1, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body;SFC shall: 18.2.3 12.3.1 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 12.3.2 take reasonable steps to ensure the reliability of any Contractor’s Personnel Staff who have access to the Personal Data; 18.2.5 obtain prior written consent from the Authority in order to transfer the Personal Data to any sub-contractors or affiliates for the provision of the Services; 18.2.6 12.3.3 ensure that all Contractor’s Personnel Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the applicable obligations set out in this clause 18EFA Conditions of Funding; 18.2.7 12.3.4 ensure that none of the Contractor’s Personnel Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authorityauthorised; 18.2.8 notify the Authority (within five Working Days) if it receives: 18.2.8.1 a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 a complaint or request relating to the Authority's obligations under the Data Protection Legislation; 18.2.9 12.3.5 provide the Authority EFA with full co-operation cooperation and assistance in relation to any complaint or request madethat the EFA receives about Personal Data, including by:; 18.2.9.1 (a) providing the Authority with full details of the complaint or request; 18.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions; 18.2.9.3 providing the Authority EFA with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the AuthorityEFA) to assist the EFA to respond to a data access request that the EFA has received; and 18.2.9.4 (b) providing the Authority EFA with any information requested by the AuthorityEFA; 18.2.10 12.3.6 permit the Authority EFA or the EFA’s representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, audit the ContractorSFC's data Data Processing activities (and/or those of its Personnelagents, subsidiaries and sub-contractors) and comply with all reasonable requests or directions by the Authority EFA to enable the Authority EFA to verify and/or procure that the Contractor SFC is in full compliance with its obligations under the Contractthis EFA Conditions of Funding; 18.2.11 provide 12.3.7 provide, if requested in writing by the EFA, a written description of the technical and organisational methods employed by the Contractor SFC for processing Personal Data (within the timescales required by the AuthorityEFA); and; 18.2.12 12.3.8 provide Students with clear and comprehensive information about the purposes for which their Personal Data is processed by SFC and disclosed to EFA for further processing, including, where required, obtaining the consent of Students to processing under the DPA; 12.3.9 provide the EFA with a copy of the Personal Data including the Unique Learner Number in a format and specification approved by the EFA in accordance with the requirements specified at clause 11.5; 12.3.10 take reasonable steps to ensure the accuracy of the Personal Data provided to the EFA and the SFC shall immediately notify the EFA should it become aware of any errors or omissions in the Personal Data provided to EFA; 12.3.11 not Process process Personal Data outside the European Economic Area without the prior written consent of the Authority EFA and, where the Authority EFA consents to a transfer, to comply with: 18.2.12.1 (a) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 (b) any reasonable instructions notified to it by the AuthorityEFA. 18.3 12.4 The Contractor SFC shall indemnify and keep indemnified the EFA in full from and against all claims, proceedings, actions, damages, losses, penalties, fines, levies, costs and expenses arising out of, in respect of or in connection with, any breach by the SFC or SFC Related Parties, of this part two clause 12 which causes (either partly or fully) a breach by the EFA of its obligations under the DPA. 12.5 The SFC shall comply at all times with the Data Protection Legislation DPA and shall not perform its obligations under the Contract this Funding Agreement in such a way as to cause the Authority EFA to breach any of its applicable obligations under the Data Protection LegislationDPA.

Protection of Personal Data. 18.1 17.1 With respect to the Parties' rights and obligations under the this Contract, the Parties parties agree that the Authority is the Data Controller and that the Contractor is the Data Processor. 18.2 17.2 The Contractor shall: 18.2.1 Process 17.2.1 process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in the this Contract or as otherwise notified by the Authority to the Contractor during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to timecontract); 18.2.2 Process 17.2.2 process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law law or any Regulatory Bodyregulatory body; 18.2.3 17.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processingprocessing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 take reasonable steps 17.2.4 use best endeavours to ensure the reliability of any Contractor’s Personnel Staff who have access to the Personal Data; 18.2.5 17.2.5 obtain prior written consent from the Authority in order to before transfer of the Personal Data to any sub-contractors or affiliates agents or consultants for the provision of the Services; 18.2.6 17.2.6 ensure that all Contractor’s Personnel Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 18Condition 17; 18.2.7 17.2.7 ensure that none of the Contractor’s Personnel no Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityAuthority has granted its written consent; 18.2.8 17.2.8 notify the Authority (within five Working Days) working days if it receives: 18.2.8.1 17.2.8.1 a request from a Data Subject to have for access to that person's Personal Data; or 18.2.8.2 17.2.8.2 a complaint or request relating to the Authority's obligations under the Data Protection Legislationlegislation; 18.2.9 provide the Authority with full co-operation and assistance in relation to any complaint or request made, including by: 18.2.9.1 providing the Authority with full details of the complaint or request; 18.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions; 18.2.9.3 providing the Authority with any Personal Data it holds in relation to a Data Subject, within the timescales required by the Authority; and 18.2.9.4 providing the Authority with any information requested by the Authority; 18.2.10 permit the Authority (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the Contractor's data Processing activities (and/or those of its Personnel) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Contractor is in full compliance with its obligations under the Contract; 18.2.11 provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and 18.2.12 not Process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: 18.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 any reasonable instructions notified to it by the Authority. 18.3 The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.

Protection of Personal Data. 18.1 With respect to the Parties' rights and obligations under the Contract, the Parties agree that the Authority is the Data Controller and that the Contractor is the Data Processor. 18.2 The Contractor shall: 18.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in the Contract or as otherwise notified by the Authority to the Contractor during the TermContract Period) and the Contractor shall at the very least comply with the provisions of Schedule E (the Information Security) and HM Government Security Framework as updated from time to timeSchedule; 18.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (the Information Security)Security Schedule; 18.2.4 take reasonable steps to ensure the reliability of any Contractor’s Personnel who have access to the Personal Data; 18.2.5 obtain prior written consent from the Authority in order to transfer the Personal Data to any sub-contractors or affiliates for the provision of the Services; 18.2.6 ensure that all Contractor’s Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 18; 18.2.7 ensure that none of the Contractor’s Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority; 18.2.8 notify the Authority (within five Working Days) if it receives: 18.2.8.1 a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 a complaint or request relating to the Authority's obligations under the Data Protection Legislation; 18.2.9 provide the Authority with full co-operation and assistance in relation to any complaint or request made, including by: 18.2.9.1 providing the Authority with full details of the complaint or request; 18.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions; 18.2.9.3 providing the Authority with any Personal Data it holds in relation to a Data Subject, within the timescales required by the Authority; and 18.2.9.4 providing the Authority with any information requested by the Authority; 18.2.10 permit the Authority (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the Contractor's data Processing activities (and/or those of its Personnel) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Contractor is in full compliance with its obligations under the Contract; 18.2.11 provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and 18.2.12 not Process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: 18.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 any reasonable instructions notified to it by the Authority. 18.3 The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation. 18.4 On the demand of the Authority the Contractor shall render to the Authority or destroy all Personal Data held pursuant to this Contract.

Protection of Personal Data. 18.1 22.5.1 With respect to the Parties' rights and obligations under the this Contract, the Parties agree that the Authority Customer is the Data Controller and that the Contractor Supplier is the Data Processor. 18.2 22.5.2 The Contractor Supplier shall: 18.2.1 22.5.2.1 Process the Personal Data only in accordance with instructions from the Authority Customer (which may be specific instructions or instructions of a general nature as set out in the this Contract or as otherwise notified by the Authority Customer to the Contractor Supplier during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to timeContract Period); 18.2.2 22.5.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 22.5.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 22.5.2.4 take reasonable steps to ensure the reliability of any Contractor’s Personnel Staff who have access to the Personal Data; 18.2.5 22.5.2.5 obtain prior written consent from the Authority Approval in order to transfer the Personal Data to any sub-contractors Sub- Contractors or affiliates Affiliates for the provision of the Services; 18.2.6 22.5.2.6 ensure that all Contractor’s Personnel Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 18Clause 22.5; 18.2.7 22.5.2.7 ensure that none of the Contractor’s Personnel Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCustomer; 18.2.8 22.5.2.8 notify the Authority Customer (within five (5) Working Days) if it receives: 18.2.8.1 (a) a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 (b) a complaint or request relating to the AuthorityCustomer's obligations under the Data Protection Legislation; 18.2.9 22.5.2.9 provide the Authority Customer with full co-operation cooperation and assistance in relation to any complaint or request made, including by: 18.2.9.1 (a) providing the Authority Customer with full details of the complaint or request; 18.2.9.2 (b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the AuthorityCustomer's instructions; 18.2.9.3 (c) providing the Authority Customer with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the AuthorityCustomer); and 18.2.9.4 (d) providing the Authority Customer with any information requested by the AuthorityCustomer; 18.2.10 22.5.2.10 permit the Authority Customer or the Customer Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the ContractorSupplier's data Processing activities (and/or those of its Personnelagents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority Customer to enable the Authority Customer to verify and/or procure that the Contractor Supplier is in full compliance with its obligations under the this Contract; 18.2.11 22.5.2.11 provide a written description of the technical and organisational methods employed by the Contractor Supplier for processing Personal Data (within the timescales required by the AuthorityCustomer); and 18.2.12 not Process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: 18.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 any reasonable instructions notified to it by the Authority. 18.3 22.5.3 The Contractor Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the this Contract in such a way as to cause the Authority Customer to breach any of its applicable obligations under the Data Protection Legislation. 22.5.4 The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach). 22.5.5 The Supplier shall, at all times during and after the Contract Period, indemnify the Customer and keep the Customer fully indemnified against all losses, damages, costs or expenses and other liabilities (including legal fees) incurred by, awarded against or agreed to be paid by the Customer arising from any breach of the Supplier's obligations under this Clause 22.5 except and to the extent that such liabilities have resulted directly from the Customer's instructions.

Protection of Personal Data. 18.1 19.4.1 With respect to the Parties' rights and obligations under the this Contract, the Parties agree that the Authority Customer is the Data Controller and that the Contractor Supplier is the Data Processor. 18.2 19.4.2 The Contractor Supplier shall: 18.2.1 19.4.2.1 Process the Personal Data only in accordance with instructions from the Authority Customer (which may be specific instructions or instructions of a general nature as set out in the this Contract or as otherwise notified by the Authority Customer to the Contractor Supplier during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to timeContract Period); 18.2.2 19.4.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 19.4.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 19.4.2.4 take reasonable steps to ensure the reliability of any Contractor’s Personnel Staff who have access to the Personal Data; 18.2.5 19.4.2.5 obtain prior written consent from the Authority Approval in order to transfer the Personal Data to any subSub-contractors or affiliates Affiliates for the provision of the Services; 18.2.6 19.4.2.6 ensure that all Contractor’s Personnel Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 1819.4; 18.2.7 19.4.2.7 ensure that none of the Contractor’s Personnel Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCustomer; 18.2.8 19.4.2.8 notify the Authority Customer (within five Working (5) Contract Notice Days) if it receives: 18.2.8.1 (a) a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 (b) a complaint or request relating to the AuthorityCustomer's obligations under the Data Protection Legislation; 18.2.9 19.4.2.9 provide the Authority Customer with full co-operation cooperation and assistance in relation to any complaint or request made, including by: 18.2.9.1 (a) providing the Authority Customer with full details of the complaint or request; 18.2.9.2 (b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the AuthorityCustomer's instructions; 18.2.9.3 (c) providing the Authority Customer with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the AuthorityCustomer); and 18.2.9.4 (d) providing the Authority Customer with any information requested by the AuthorityCustomer; 18.2.10 19.4.2.10 permit the Authority Customer or the Customer Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the ContractorSupplier's data Processing activities (and/or those of its Personnelagents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Authority Customer to enable the Authority Customer to verify and/or procure that the Contractor Supplier is in full compliance with its obligations under the this Contract; 18.2.11 19.4.2.11 provide a written description of the technical and organisational methods employed by the Contractor Supplier for processing Processing Personal Data (within the timescales required by the AuthorityCustomer); and 18.2.12 19.4.2.12 not Process or otherwise transfer any Personal Data outside the European Economic Area. If, after the Commencement Date, the Supplier (or any Sub-contractor) wishes to Process and/or transfer any Personal Data outside the European Economic Area, the following provisions shall apply: (a) the Supplier shall submit a request for Variation to the Customer which shall be dealt with in accordance with the Variation Procedure and paragraphs 19.4.2.12(b) to 19.4.2.12(d) below; (b) the Supplier shall set out in its request for a Variation details of the following: (i) the Personal Data which will be Processed and/or transferred outside the European Economic Area; (ii) the country or countries in which the Personal Data will be Processed and/or to which the Personal Data will be transferred outside the European Economic Area; (iii) any Sub-contractors or other third parties who will be Processing and/or transferring Personal Data outside the European Economic Area; (c) how the Supplier will ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Customer’s compliance with the Data Protection Legislation) in respect of the Personal Data that will be Processed and/or transferred outside the European Economic Area; and (d) the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: (i) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) in this Contract or a separate data processing agreement between the Parties; and (ii) procuring that any Sub-contractor or other third party who will be Processing and/or transferring the Personal Data outside the European Economic Area without enters into a direct data processing agreement with the prior written consent Customer on such terms as may be required by the Customer, which the Supplier acknowledges may include the incorporation of standard and/or model clauses (which are approved by the Authority and, where the Authority consents to a transfer, to comply with: 18.2.12.1 the obligations of a Data Controller European Commission as offering adequate safeguards under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 any reasonable instructions notified to it by the AuthorityLegislation). 18.3 19.4.3 The Contractor Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the this Contract in such a way as to cause the Authority Customer to breach any of its applicable obligations under the Data Protection Legislation.

Protection of Personal Data. 18.1 6.1 With respect to the Partiesparties' rights and obligations under the Contractthis Agreement, the Parties parties agree that the Authority is the Data Controller and that the Contractor is the Data Processor. 18.2 6.2 The Contractor shall: 18.2.1 6.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in the Contract this Agreement or as otherwise notified by the Authority to the Contractor during the Term) and the Contractor shall at the very least comply with the provisions term of Schedule E (Information Security) and HM Government Security Framework as updated from time to timethis Agreement); 18.2.2 6.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 6.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 6.2.4 take reasonable steps to ensure the reliability of any Contractor’s Contractor Personnel who have access to the Personal Data; 18.2.5 6.2.5 obtain prior written consent from the Authority in order to transfer the Personal Data to any subSub-contractors or affiliates members of the Contractor’s group of companies for the provision of the Services; 18.2.6 6.2.6 ensure that all Contractor’s Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 186; 18.2.7 6.2.7 ensure that none of the Contractor’s Contractor Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority; 18.2.8 6.2.8 notify the Authority (within five Working (5) Days) if it receives: 18.2.8.1 6.2.8.1 a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 6.2.8.2 a complaint or request relating to the Authority's obligations under the Data Protection Legislation; 18.2.9 6.2.9 provide the Authority with full co-operation cooperation and assistance in relation to any complaint or request made, including by: 18.2.9.1 6.2.9.1 providing the Authority with full details of the complaint or request; 18.2.9.2 6.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions; 18.2.9.3 6.2.9.3 providing the Authority with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the Authority); and 18.2.9.4 6.2.9.4 providing the Authority with any information requested by the Authority; 18.2.10 6.2.10 permit the Authority (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 253 (Audits), the Contractor's data Processing activities (and/or those of its Personnelagents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Contractor is in full compliance with its obligations under the Contractthis Agreement; 18.2.11 6.2.11 provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and 18.2.12 6.2.12 not Process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: 18.2.12.1 6.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 6.2.12.2 any reasonable instructions notified to it by the Authority. 18.3 6.3 The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract this Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.

Protection of Personal Data. 18.1 20.5.1 With respect to the Partiesparties' rights and obligations under the this Contract, the Parties parties agree that the Authority Customer is the Data Controller and that the Contractor Supplier is the Data Processor. 18.2 20.5.2 The Contractor Supplier shall: 18.2.1 20.5.2.1 Process the Personal Data only in accordance with instructions from the Authority Customer (which may be specific instructions or instructions of a general nature as set out in the this Contract or as otherwise notified by the Authority Customer to the Contractor Supplier during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to timeContract Period); 18.2.2 20.5.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 20.5.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 20.5.2.4 take reasonable steps to ensure the reliability of any Contractor’s Personnel Staff who have access to the Personal Data; 18.2.5 20.5.2.5 obtain prior written consent from the Authority Approval in order to transfer the Personal Data to any subSub-contractors or affiliates Affiliates for the provision of the Services; 18.2.6 20.5.2.6 ensure that all Contractor’s Personnel Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 1820.5; 18.2.7 20.5.2.7 ensure that none of the Contractor’s Personnel Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCustomer; 18.2.8 20.5.2.8 notify the Authority Customer (within five (5) Working Days) if it receives: 18.2.8.1 (a) a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 (b) a complaint or request relating to the AuthorityCustomer's obligations under the Data Protection Legislation; 18.2.9 20.5.2.9 provide the Authority Customer with full co-operation cooperation and assistance in relation to any complaint or request made, including by: 18.2.9.1 (a) providing the Authority Customer with full details of the complaint or request; 18.2.9.2 (b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the AuthorityCustomer's instructions; 18.2.9.3 (c) providing the Authority Customer with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the AuthorityCustomer); and 18.2.9.4 (d) providing the Authority Customer with any information requested by the AuthorityCustomer; 18.2.10 20.5.2.10 permit the Authority Customer or the Customer Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the ContractorSupplier's data Processing activities (and/or those of its Personnelagents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Authority Customer to enable the Authority Customer to verify and/or procure that the Contractor Supplier is in full compliance with its obligations under the this Contract; 18.2.11 20.5.2.11 provide a written description of the technical and organisational methods employed by the Contractor Supplier for processing Personal Data (within the timescales required by the AuthorityCustomer); and 18.2.12 20.5.3 not Process or otherwise transfer any Personal Data outside the European Economic Area. If, after the Commencement Date, the Supplier (or any Sub-contractor) wishes to Process and/or transfer any Personal Data outside the European Economic Area, the following provisions shall apply: 20.5.4 the Supplier shall submit a request for Variation to the Customer which shall be dealt with in accordance with the Variation Procedure and paragraph (b) to (d) below; 20.5.5 the Supplier shall set out in its request for a Variation details of the following: 20.5.6 the Personal Data which will be Processed and/or transferred outside the European Economic Area; 20.5.7 the country or countries in which the Personal Data will be Processed and/or to which the Personal Data will be transferred outside the European Economic Area; 20.5.8 any Sub-contractors or other third parties who will be Processing and/or transferring Personal Data outside the European Economic Area; and 20.5.9 how the Supplier will ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Customer‟s compliance with the Data Protection Legislation) in respect of the Personal Data that will be Processed and/or transferred outside the European Economic Area; 20.5.10 in providing and evaluating the request for Variation, the parties shall ensure that they have regard to and comply with then-current Customer, Government and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the European Economic Area without and/or overseas generally; and 20.5.11 the prior written consent of Supplier shall comply with such other instructions and shall carry out such other actions as the Authority andCustomer may notify in writing, where the Authority consents to a transfer, to comply withincluding: 18.2.12.1 20.5.12 incorporating standard and/or model clauses (which are approved by the obligations of a Data Controller European Commission as offering adequate safeguards under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferredLegislation) in this Contract or a separate data processing agreement between the parties; and 18.2.12.2 20.5.13 procuring that any reasonable instructions notified to it Sub-contractor or other third party who will be Processing and/or transferring the Personal Data outside the European Economic Area enters into a direct data processing agreement with the Customer on such terms as may be required by the AuthorityCustomer, which the Supplier acknowledges may include the incorporation of standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation). 18.3 20.5.14 The Contractor Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the this Contract in such a way as to cause the Authority Customer to breach any of its applicable obligations under the Data Protection Legislation.

Protection of Personal Data. 18.1 With respect to 12.1 The HEI shall be registered under the Parties' rights DPA and both Parties will duly observe all of their applicable obligations under the ContractDPA, which arise in connection with the Parties agree that the Authority is the Data Controller and that the Contractor is the Data ProcessorESFA Conditions of Funding. 18.2 12.2 The Contractor shall: 18.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in the Contract or as otherwise notified by the Authority to the Contractor during the Term) and the Contractor Parties shall at the very least all times comply with their applicable obligations under the provisions of Schedule E (Information Security) DPA and HM Government Security Framework all subordinate and related legislation as updated enacted from time to time; 18.2.2 Process . Both Parties acknowledge that they are Data Controllers in common of the Personal Data only to collected and held by the extentHEI in performing the Services. 12.3 Notwithstanding the general obligation in part two clause 12.1, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body;HEI shall: 18.2.3 12.3.1 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 12.3.2 take reasonable steps to ensure the reliability of any Contractor’s Personnel staff who have access to the Personal Data; 18.2.5 obtain prior written consent from the Authority in order to transfer the Personal Data to any sub-contractors or affiliates for the provision of the Services; 18.2.6 12.3.3 ensure that all Contractor’s Personnel staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the applicable obligations set out in this clause 18ESFA Conditions of Funding; 18.2.7 12.3.4 ensure that none of the Contractor’s Personnel staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authorityauthorised; 18.2.8 notify the Authority (within five Working Days) if it receives: 18.2.8.1 a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 a complaint or request relating to the Authority's obligations under the Data Protection Legislation; 18.2.9 12.3.5 provide the Authority ESFA with full co-operation cooperation and assistance in relation to any complaint or request madethat the ESFA receives about Personal Data, including by:; 18.2.9.1 12.3.5.1 providing the Authority with full details of the complaint or request; 18.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions; 18.2.9.3 providing the Authority ESFA with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the AuthorityESFA) to assist the ESFA to respond to a data access request that the ESFA has received; and 18.2.9.4 12.3.5.2 providing the Authority ESFA with any information requested by the AuthorityESFA; 18.2.10 12.3.6 permit the Authority ESFA or the ESFA’s representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, audit the ContractorHEI's data Data Processing activities (and/or those of its Personnelagents, subsidiaries and sub-HEIs) and comply with all reasonable requests or directions by the Authority ESFA to enable the Authority ESFA to verify and/or procure that the Contractor HEI is in full compliance with its obligations under the Contractthis ESFA Conditions of Funding; 18.2.11 provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and 18.2.12 not Process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: 18.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 any reasonable instructions notified to it by the Authority. 18.3 The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.

Protection of Personal Data. 18.1 22.5.1 With respect to the Parties' rights and obligations under the this Contract, the Parties agree that the Authority Customer is the Data Controller and that the Contractor Supplier is the Data Processor. 18.2 22.5.2 The Contractor Supplier shall: 18.2.1 i. Process the Personal Data only in accordance with instructions from the Authority Customer (which may be specific instructions or instructions of a general nature as set out in the this Contract or as otherwise notified by the Authority Customer to the Contractor Supplier during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to timeContract Period); 18.2.2 ii. Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 iii. implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 iv. take reasonable steps to ensure the reliability of any Contractor’s Personnel Staff who have access to the Personal Data; 18.2.5 v. obtain prior written consent from the Authority Approval in order to transfer the Personal Data to any subSub-contractors Contractors or affiliates Affiliates for the provision of the Services; 18.2.6 vi. ensure that all Contractor’s Personnel Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 18Clause 22.5; 18.2.7 vii. ensure that none of the Contractor’s Personnel Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCustomer; 18.2.8 viii. notify the Authority Customer (within five (5) Working Days) if it receives: 18.2.8.1 (a) a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 (b) a complaint or request relating to the AuthorityCustomer's obligations under the Data Protection Legislation; 18.2.9 ix. provide the Authority Customer with full co-operation cooperation and assistance in relation to any complaint or request made, including by: 18.2.9.1 (a) providing the Authority Customer with full details of the complaint or request; 18.2.9.2 (b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the AuthorityCustomer's instructions; 18.2.9.3 (c) providing the Authority Customer with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the AuthorityCustomer); and 18.2.9.4 (d) providing the Authority Customer with any information requested by the Authority; 18.2.10 Customer; x. permit the Authority Customer or the Customer Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the ContractorSupplier's data Processing activities (and/or those of its Personnelagents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority Customer to enable the Authority Customer to verify and/or procure that the Contractor Supplier is in full compliance with its obligations under the this Contract; 18.2.11 provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and 18.2.12 not Process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: 18.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 any reasonable instructions notified to it by the Authority. 18.3 The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.

Protection of Personal Data. 18.1 12.1 With respect to the Partiesparties' rights and obligations under the Contractthis Agreement, the Parties parties agree that in circumstances where the Authority Customer is the Data Controller and that the Contractor SERVICE PROVIDER is the Data Processor. 18.2 The Contractor , the SERVICE PROVIDER shall: 18.2.1 12.1.1 Process the Personal Data only in accordance with instructions from the Authority Customer (which may be specific instructions or instructions of a general nature as set out in the Contract this Agreement or as otherwise notified by the Authority Customer to the Contractor SERVICE PROVIDER during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to time); 18.2.2 12.1.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 12.1.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 12.1.4 take reasonable steps to ensure the reliability of any Contractor’s SERVICE PROVIDER Personnel who have access to the Personal Data; 18.2.5 12.1.5 obtain prior written consent from the Authority Customer in order to transfer the Personal Data to any subSub-contractors or affiliates Affiliates for the provision of the Services. For the purposes of this clause 12.1.5 such consent is deemed to be given by the Customer for the transfer of Personal Data to the Sub-contractors or Affiliates listed in schedule 10 of this Agreement; 18.2.6 12.1.6 ensure that all Contractor’s SERVICE PROVIDER Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 1812; 18.2.7 12.1.7 ensure that none of the Contractor’s SERVICE PROVIDER Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCustomer; 18.2.8 12.1.8 notify the Authority Customer (within five Working Days) if it receives: 18.2.8.1 12.1.8.1 a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 12.1.8.2 a complaint or request relating to the Authority's Customer’s obligations under the Data Protection Legislation; 18.2.9 12.1.9 provide the Authority Customer with full co-operation cooperation and assistance in relation to any complaint or request made, including by: 18.2.9.1 12.1.9.1 providing the Authority Customer with full details of the complaint or request; 18.2.9.2 12.1.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's Customer’s instructions; 18.2.9.3 12.1.9.3 providing the Authority Customer with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the AuthorityCustomer); and 18.2.9.4 12.1.9.4 providing the Authority Customer with any information requested by the AuthorityCustomer; 18.2.10 12.1.10 permit the Customer or the Authority Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the Contractor's SERVICE PROVIDER’s data Processing activities procedures (and/or those of its Personnelagents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Authority Customer to enable the Authority Customer to verify and/or procure that the Contractor SERVICE PROVIDER is in full compliance with its obligations under the Contractthis Agreement; 18.2.11 12.1.11 provide a written description of the technical and organisational methods employed by the Contractor SERVICE PROVIDER for processing Personal Data (within the timescales required by the AuthorityCustomer); and 18.2.12 12.1.12 not Process Personal Data outside the European Economic Area without the prior written consent of the Authority Customer and, where the Authority Customer consents to a transfer, to comply with: 18.2.12.1 12.1.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 12.1.12.2 any reasonable instructions notified to it by the AuthorityCustomer. 18.3 12.2 The Contractor SERVICE PROVIDER shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract this Agreement in such a way as to cause the Authority Customer to breach any of its applicable obligations under the Data Protection Legislation.

Protection of Personal Data. 18.1 18.1. With respect to the Parties' rights and obligations under the Contract, the Parties agree that the Authority is the Data Controller and that the Contractor is the Data Processor. 18.2 18.2. The Contractor shall: 18.2.1 18.2.1. Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in the Contract or as otherwise notified by the Authority to the Contractor during the TermContract Period) and the Contractor shall at the very least comply with the provisions of Schedule E (the Information Security) and HM Government Security Framework as updated from time to timeSchedule; 18.2.2 18.2.2. Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 18.2.3. implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security); 18.2.4 18.2.4. take reasonable steps to ensure the reliability of any Contractor’s Personnel who have access to the Personal Data; 18.2.5 18.2.5. obtain prior written consent from the Authority in order to transfer the Personal Data to any sub-contractors or affiliates for the provision of the Services; 18.2.6 18.2.6. ensure that all Contractor’s Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 18; 18.2.7 18.2.7. ensure that none of the Contractor’s Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority; 18.2.8 18.2.8. notify the Authority (within five Working Days) if it receives: 18.2.8.1 18.2.8.1. a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 18.2.8.2. a complaint or request relating to the Authority's obligations under the Data Protection Legislation; 18.2.9 18.2.9. provide the Authority with full co-operation and assistance in relation to any complaint or request made, including by: 18.2.9.1 18.2.9.1. providing the Authority with full details of the complaint or request; 18.2.9.2 18.2.9.2. complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions; 18.2.9.3 18.2.9.3. providing the Authority with any Personal Data it holds in relation to a Data Subject, within the timescales required by the Authority; and 18.2.9.4 18.2.9.4. providing the Authority with any information requested by the Authority; 18.2.10 18.2.9.5. permit the Authority (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the Contractor's data Processing activities (and/or those of its Personnel) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Contractor is in full compliance with its obligations under the Contract; 18.2.11 18.2.10. provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and 18.2.12 18.2.11. not Process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: 18.2.12.1 18.2.11.1. the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 18.2.11.2. any reasonable instructions notified to it by the Authority. 18.3 18.3. The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.

Protection of Personal Data. 18.1 22.5.1 With respect to the Parties' rights and obligations under the this Contract, the Parties agree that the Authority Customer is the Data Controller and that the Contractor Supplier is the Data Processor. 18.2 22.5.2 The Contractor Supplier shall: 18.2.1 22.5.2.1 Process the Personal Data only in accordance with instructions from the Authority Customer (which may be specific instructions or instructions of a general nature as set out in the this Contract or as otherwise notified by the Authority Customer to the Contractor Supplier during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to timeContract Period); 18.2.2 22.5.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 22.5.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 22.5.2.4 take reasonable steps to ensure the reliability of any Contractor’s Personnel Staff who have access to the Personal Data; 18.2.5 22.5.2.5 obtain prior written consent from the Authority Approval in order to transfer the Personal Data to any subSub-contractors Contractors or affiliates Affiliates for the provision of the Services; 18.2.6 22.5.2.6 ensure that all Contractor’s Personnel Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 18Clause 22.5; 18.2.7 22.5.2.7 ensure that none of the Contractor’s Personnel Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCustomer; 18.2.8 22.5.2.8 notify the Authority Customer (within five (5) Working Days) if it receives: 18.2.8.1 (a) a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 (b) a complaint or request relating to the AuthorityCustomer's obligations under the Data Protection Legislation; 18.2.9 22.5.2.9 provide the Authority Customer with full co-operation cooperation and assistance in relation to any complaint or request made, including by: 18.2.9.1 (a) providing the Authority Customer with full details of the complaint or request; 18.2.9.2 (b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the AuthorityCustomer's instructions; 18.2.9.3 (c) providing the Authority Customer with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the AuthorityCustomer); and 18.2.9.4 (d) providing the Authority Customer with any information requested by the AuthorityCustomer; 18.2.10 22.5.2.10 permit the Authority Customer or the Customer Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the ContractorSupplier's data Processing activities (and/or those of its Personnelagents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority Customer to enable the Authority Customer to verify and/or procure that the Contractor Supplier is in full compliance with its obligations under the this Contract; 18.2.11 22.5.2.11 provide a written description of the technical and organisational methods employed by the Contractor Supplier for processing Personal Data (within the timescales required by the AuthorityCustomer); and 18.2.12 22.5.2.12 not Process or otherwise transfer any Personal Data outside the European Economic Area. If, after the Commencement Date, the Supplier (or any Sub-Contractor) wishes to Process and/or transfer any Personal Data outside the European Economic Area, the following provisions shall apply: (a) the Supplier shall submit a request for Variation to the Customer which shall be dealt with in accordance with the Variation Procedure and paragraph (b) to (d) below; (b) the Supplier shall set out in its request for a Variation details of the following: (i) the Personal Data which will be Processed and/or transferred outside the European Economic Area; (ii) the country or countries in which the Personal Data will be Processed and/or to which the Personal Data will be transferred outside the European Economic Area; (iii) any Sub-Contractors or other third parties who will be Processing and/or transferring Personal Data outside the European Economic Area; and (iv) how the Supplier will ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Customer’s compliance with the Data Protection Legislation) in respect of the Personal Data that will be Processed and/or transferred outside the European Economic Area; (c) in providing and evaluating the request for Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Government and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the European Economic Area without and/or overseas generally but, for the prior written consent avoidance of doubt, the Authority Customer may, in its absolute discretion, refuse to grant Approval of such Process and/or transfer any Personal Data outside the European Economic Area; and (d) the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, where the Authority consents to a transfer, to comply withincluding: 18.2.12.1 (i) incorporating standard and/or model Clauses (which are approved by the obligations of a Data Controller European Commission as offering adequate safeguards under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferredLegislation) in this Contract or a separate data processing agreement between the parties; and 18.2.12.2 (ii) procuring that any reasonable instructions notified to it Sub-Contractor or other third party who will be Processing and/or transferring the Personal Data outside the European Economic Area enters into a direct data processing agreement with the Customer on such terms as may be required by the AuthorityCustomer, which the Supplier acknowledges may include the incorporation of standard and/or model Clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation). 18.3 22.5.3 The Contractor Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the this Contract in such a way as to cause the Authority Customer to breach any of its applicable obligations under the Data Protection Legislation. 22.5.4 The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach). 22.5.5 The Supplier shall, at all times during and after the Contract Period, indemnify the Customer and keep the Customer fully indemnified against all losses, damages, costs or expenses and other liabilities (including legal fees) incurred by, awarded against or agreed to be paid by the Customer arising from any breach of the Supplier's obligations under this Clause 22.5 except and to the extent that such liabilities have resulted directly from the Customer's instructions.

Protection of Personal Data. 18.1 19.1 With respect to the Parties' ’ rights and obligations under the Contractthis Agreement, the Parties agree that the Authority Customer is the Data Controller and that the Contractor Supplier is the Data Processor. 18.2 19.2 The Contractor Supplier shall: 18.2.1 19.2.1 Process the Personal Data only in accordance with instructions from the Authority Customer (which may be specific instructions or instructions of a general nature as set out in the Contract this Agreement or as otherwise notified by the Authority Customer to the Contractor Supplier during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to time); 18.2.2 19.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services Supply or as is required by Applicable Law or any Regulatory Body; 18.2.3 19.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 19.2.4 take reasonable steps to ensure the reliability of any Contractor’s of the Supplier Personnel who have access to the Personal Data; 18.2.5 19.2.5 obtain prior written consent from the Authority Customer in order to transfer the Personal Data to any sub-contractors or affiliates Affiliates for the provision of the ServicesSupply; 18.2.6 19.2.6 ensure that all Contractor’s Supplier Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 18Clause 19; 18.2.7 19.2.7 ensure that none of the Contractor’s Supplier Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCustomer; 18.2.8 19.2.8 notify the Authority Customer (within five (5) Working Days) if it receives: 18.2.8.1 (a) a request from a Data Subject to have access to that person's ’s Personal DataData (a “Data Access Request”); or 18.2.8.2 (b) a complaint or request relating to the Authority's Customer’s obligations under the Data Protection Legislation; 18.2.9 19.2.9 provide the Authority Customer with full co-operation cooperation and assistance in relation to any complaint or request made, including by: 18.2.9.1 (a) providing the Authority Customer with full details of the complaint or request; 18.2.9.2 (b) complying with a data access request Data Access Request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's Customer’s instructions; 18.2.9.3 (c) providing the Authority Customer with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the AuthorityCustomer); and 18.2.9.4 (d) providing the Authority Customer with any information requested by the AuthorityCustomer; 18.2.10 19.2.10 permit the Authority Customer (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, audit the Contractor's Supplier’s data Processing activities (and/or those of its Personnelagents, subsidiaries and sub-contractors) and comply with all reasonable requests or directions by the Authority Customer to enable the Authority Customer to verify and/or procure that the Contractor Supplier is in full compliance with its obligations under the Contractthis Agreement; 18.2.11 provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and 18.2.12 not Process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: 18.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 any reasonable instructions notified to it by the Authority. 18.3 The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.

Protection of Personal Data. 18.1 22.5.1 With respect to the Parties' rights and obligations under the this Contract, the Parties agree that the Authority Customer is the Data Controller and that the Contractor Supplier is the Data Processor. 18.2 22.5.2 The Contractor Supplier shall: 18.2.1 22.5.2.1 Process the Personal Data only in accordance with instructions from the Authority Customer (which may be specific instructions or instructions of a general nature as set out in the this Contract or as otherwise notified by the Authority Customer to the Contractor Supplier during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to timeContract Period); 18.2.2 22.5.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 22.5.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 22.5.2.4 take reasonable steps to ensure the reliability of any Contractor’s Personnel Staff who have access to the Personal Data; 18.2.5 22.5.2.5 obtain prior written consent from the Authority Approval in order to transfer the Personal Data to any subSub-contractors Contractors or affiliates Affiliates for the provision of the Services; 18.2.6 22.5.2.6 ensure that all Contractor’s Personnel Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 18Clause 22.5; 18.2.7 22.5.2.7 ensure that none of the Contractor’s Personnel Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCustomer; 18.2.8 22.5.2.8 notify the Authority Customer (within five (5) Working Days) if it receives: 18.2.8.1 (a) a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 (b) a complaint or request relating to the AuthorityCustomer's obligations under the Data Protection Legislation; 18.2.9 22.5.2.9 provide the Authority Customer with full co-operation cooperation and assistance in relation to any complaint or request made, including by: 18.2.9.1 (a) providing the Authority Customer with full details of the complaint or request; 18.2.9.2 (b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the AuthorityCustomer's instructions; 18.2.9.3 (c) providing the Authority Customer with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the AuthorityCustomer); and 18.2.9.4 (d) providing the Authority Customer with any information requested by the AuthorityCustomer; 18.2.10 22.5.2.10 permit the Authority Customer or the Customer Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the ContractorSupplier's data Processing activities (and/or those of its Personnelagents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority Customer to enable the Authority Customer to verify and/or procure that the Contractor Supplier is in full compliance with its obligations under the this Contract; 18.2.11 22.5.2.11 provide a written description of the technical and organisational methods employed by the Contractor Supplier for processing Personal Data (within the timescales required by the AuthorityCustomer); and 18.2.12 22.5.2.12 [not Process or otherwise transfer any Personal Data outside the European Economic Area. If, after the Commencement Date, the Supplier (or any Sub-Contractor) wishes to Process and/or transfer any Personal Data outside the European Economic Area, the following provisions shall apply: (a) the Supplier shall submit a request for Variation to the Customer which shall be dealt with in accordance with the Variation Procedure and paragraph (b) to (d) below; (b) the Supplier shall set out in its request for a Variation details of the following: (i) the Personal Data which will be Processed and/or transferred outside the European Economic Area; (ii) the country or countries in which the Personal Data will be Processed and/or to which the Personal Data will be transferred outside the European Economic Area; (iii) any Sub-Contractors or other third parties who will be Processing and/or transferring Personal Data outside the European Economic Area; and (iv) how the Supplier will ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Customer’s compliance with the Data Protection Legislation) in respect of the Personal Data that will be Processed and/or transferred outside the European Economic Area; (c) in providing and evaluating the request for Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Government and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the European Economic Area without and/or overseas generally but, for the prior written consent avoidance of doubt, the Authority Customer may, in its absolute discretion, refuse to grant Approval of such Process and/or transfer any Personal Data outside the European Economic Area; and (d) the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, where the Authority consents to a transfer, to comply withincluding: 18.2.12.1 (i) incorporating standard and/or model Clauses (which are approved by the obligations of a Data Controller European Commission as offering adequate safeguards under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferredLegislation) in this Contract or a separate data processing agreement between the parties; and 18.2.12.2 (ii) procuring that any reasonable instructions notified to it Sub-Contractor or other third party who will be Processing and/or transferring the Personal Data outside the European Economic Area enters into a direct data processing agreement with the Customer on such terms as may be required by the AuthorityCustomer, which the Supplier acknowledges may include the incorporation of standard and/or model Clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation).] 18.3 22.5.3 The Contractor Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the this Contract in such a way as to cause the Authority Customer to breach any of its applicable obligations under the Data Protection Legislation. 22.5.4 The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach). 22.5.5 The Supplier shall, at all times during and after the Contract Period, indemnify the Customer and keep the Customer fully indemnified against all losses, damages, costs or expenses and other liabilities (including legal fees) incurred by, awarded against or agreed to be paid by the Customer arising from any breach of the Supplier's obligations under this Clause 22.5 except and to the extent that such liabilities have resulted directly from the Customer's instructions.

Protection of Personal Data. 18.1 24.5.1 With respect to the Parties' rights and obligations under the this Contract, the Parties agree that the Authority Customer is the Data Controller and that the Contractor Supplier is the Data Processor. 18.2 24.5.2 The Contractor Supplier shall: 18.2.1 24.5.2.1 Process the Personal Data only in accordance with instructions from the Authority Customer (which may be specific instructions or instructions of a general nature as set out in the this Contract or as otherwise notified by the Authority Customer to the Contractor Supplier during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to time; 18.2.2 Process Contract Period);Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services and Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 ; implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 24.5.2.2 take reasonable steps to ensure the reliability of any Contractor’s Personnel Staff who have access to the Personal Data; 18.2.5 24.5.2.3 obtain prior written consent from the Authority Approval in order to transfer the Personal Data to any subSub-contractors Contractors or affiliates Affiliates for the provision of the ServicesServices and Goods; 18.2.6 24.5.2.4 ensure that all Contractor’s Personnel Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 18Clause 24.5; 18.2.7 24.5.2.5 ensure that none of the Contractor’s Personnel Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCustomer; 18.2.8 24.5.2.6 notify the Authority Customer (within five (5) Working Days) if it receives: 18.2.8.1 (a) a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 (b) a complaint or request relating to the AuthorityCustomer's obligations under the Data Protection Legislation; 18.2.9 24.5.2.7 provide the Authority Customer with full co-operation cooperation and assistance in relation to any complaint or request made, including by: 18.2.9.1 (a) providing the Authority Customer with full details of the complaint or request; 18.2.9.2 (b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the AuthorityCustomer's instructions; 18.2.9.3 (c) providing the Authority Customer with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the AuthorityCustomer); and 18.2.9.4 (d) providing the Authority Customer with any information requested by the AuthorityCustomer; 18.2.10 24.5.2.8 permit (or procure permission for) the Authority Customer or the Customer Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the ContractorSupplier's data Processing activities (and/or those of its Personnelagents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority Customer to enable the Authority Customer to verify and/or procure that the Contractor Supplier is in full compliance with its obligations under the this Contract; 18.2.11 24.5.2.9 provide a written description of the technical and organisational methods employed by the Contractor Supplier for processing Personal Data (within the timescales required by the AuthorityCustomer); and 18.2.12 24.5.2.10 [not Process or otherwise transfer any Personal Data outside the European Economic Area. If, after the Commencement Date, the Supplier (or any Sub-Contractor) wishes to Process and/or transfer any Personal Data outside the European Economic Area, the following provisions shall apply: (a) the Supplier shall submit a request for Variation to the Customer which shall be dealt with in accordance with the Variation Procedure and paragraph (b) to (d) below; (b) the Supplier shall set out in its request for a Variation details of the following: (i) the Personal Data which will be Processed and/or transferred outside the European Economic Area; (ii) the country or countries in which the Personal Data will be Processed and/or to which the Personal Data will be transferred outside the European Economic Area; (iii) any Sub-Contractors or other third parties who will be Processing and/or transferring Personal Data outside the European Economic Area; and (iv) how the Supplier will ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Customer's compliance with the Data Protection Legislation) in respect of the Personal Data that will be Processed and/or transferred outside the European Economic Area; (c) in providing and evaluating the request for Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Government and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the European Economic Area without and/or overseas generally but, for the prior written consent avoidance of doubt, the Authority Customer may, in its absolute discretion, refuse to grant Approval of such Processing and/or transfer of any Personal Data outside the European Economic Area; and (d) the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, where the Authority consents to a transfer, to comply withincluding: 18.2.12.1 (i) incorporating standard and/or model Clauses (which are approved by the obligations of a Data Controller European Commission as offering adequate safeguards under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferredLegislation) in this Contract or a separate data processing agreement between the parties; and 18.2.12.2 (ii) procuring that any reasonable instructions notified to it Sub-Contractor or other third party who will be Processing and/or transferring the Personal Data outside the European Economic Area enters into a direct data processing agreement with the Customer on such terms as may be required by the AuthorityCustomer, which the Supplier acknowledges may include the incorporation of standard and/or model Clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation).] 18.3 24.5.3 The Contractor Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the this Contract in such a way as to cause the Authority Customer to breach any of its applicable obligations under the Data Protection Legislation. 24.5.4 The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach). 24.5.5 The Supplier shall, at all times during and after the Contract Period, indemnify the Customer and keep the Customer fully indemnified against all losses, damages, costs or expenses and other liabilities (including legal fees) incurred by, awarded against or agreed to be paid by the Customer arising from any breach of the Supplier's obligations under this Clause 24 except and to the extent that such liabilities have resulted directly from the Customer's instructions.

Protection of Personal Data. 18.1 12.1 With respect to the Partiesparties' rights and obligations under the Contractthis Agreement, the Parties parties agree that the Authority Department is the Data Controller and that the Contractor is the Data Processor. 18.2 12.2 The Contractor shall: 18.2.1 Process 12.2.1 process the Personal Data only in accordance with instructions from the Authority Department (which may be specific instructions or instructions of a general nature as set out in the Contract this Agreement or as otherwise notified by the Authority Department to the Contractor during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to time); 18.2.2 Process 12.2.2 process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 12.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 12.2.4 take reasonable steps to ensure the reliability of any Contractor’s Contractor Personnel who have access to the Personal Data; 18.2.5 12.2.5 obtain prior written consent from the Authority Department in order to transfer the Personal Data to any subSub-contractors or affiliates Affiliates for the provision of the Services; 18.2.6 12.2.6 ensure that all Contractor’s Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 18Clause 12; 18.2.7 12.2.7 ensure that none of the Contractor’s Contractor Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityDepartment; 18.2.8 12.2.8 notify the Authority Department (within five Working Days) if it receives: 18.2.8.1 12.2.8.1 a request from a Data Subject to have access to that person's Personal Data; or; 18.2.8.2 12.2.8.2 a complaint or request relating to the AuthorityDepartment's obligations under the Data Protection Legislation; 18.2.9 12.2.8.3 provide the Authority Department with full co-operation cooperation and assistance in relation to any complaint or request made, including by: 18.2.9.1 : · providing the Authority Department with full details of the complaint or request; 18.2.9.2 ; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the AuthorityDepartment's instructions; 18.2.9.3 ; · providing the Authority Department with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the AuthorityDepartment); and 18.2.9.4 and · providing the Authority Department with any information requested by the AuthorityDepartment; 18.2.10 12.2.9 permit the Authority Department or the Department Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, audit the Contractor's data Processing activities (and/or those of its Personnelagents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Authority Department to enable the Authority Department to verify and/or procure that the Contractor is in full compliance with its obligations under the Contractthis Agreement; 18.2.11 provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and 18.2.12 not Process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: 18.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 any reasonable instructions notified to it by the Authority. 18.3 The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.

Protection of Personal Data. 18.1 19.4.1 With respect to the Parties' rights and obligations under the this Contract, the Parties agree that the Authority Customer is the Data Controller and that the Contractor Supplier is the Data Processor. 18.2 19.4.2 The Contractor Supplier shall: 18.2.1 19.4.2.1 Process the Personal Data only in accordance with instructions from the Authority Customer (which may be specific instructions or instructions of a general nature as set out in the this Contract or as otherwise notified by the Authority Customer to the Contractor Supplier during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to timeContract Period); 18.2.2 19.4.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 19.4.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 19.4.2.4 take reasonable steps to ensure the reliability of any Contractor’s Personnel Staff who have access to the Personal Data; 18.2.5 19.4.2.5 obtain prior written consent from the Authority Approval in order to transfer the Personal Data to any subSub-contractors or affiliates Affiliates for the provision of the Services; 18.2.6 19.4.2.6 ensure that all Contractor’s Personnel Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 1819.4; 18.2.7 19.4.2.7 ensure that none of the Contractor’s Personnel Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCustomer; 18.2.8 19.4.2.8 notify the Authority Customer (within five Working (5) Contract Notice Days) if it receives: 18.2.8.1 (a) a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 (b) a complaint or request relating to the AuthorityCustomer's obligations under the Data Protection Legislation; 18.2.9 19.4.2.9 provide the Authority Customer with full co-operation cooperation and assistance in relation to any complaint or request made, including by: 18.2.9.1 (a) providing the Authority Customer with full details of the complaint or request; 18.2.9.2 (b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the AuthorityCustomer's instructions; 18.2.9.3 (c) providing the Authority Customer with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the AuthorityCustomer); and 18.2.9.4 (d) providing the Authority Customer with any information requested by the AuthorityCustomer; 18.2.10 19.4.2.10 permit the Authority Customer or the Customer Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the ContractorSupplier's data Processing activities (and/or those of its Personnelagents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Authority Customer to enable the Authority Customer to verify and/or procure that the Contractor Supplier is in full compliance with its obligations under the this Contract; 18.2.11 19.4.2.11 provide a written description of the technical and organisational methods employed by the Contractor Supplier for processing Processing Personal Data (within the timescales required by the AuthorityCustomer); and 18.2.12 19.4.2.12 not Process or otherwise transfer any Personal Data outside the European Economic Area. If, after the Commencement Date, the Supplier (or any Sub-contractor) wishes to Process and/or transfer any Personal Data outside the European Economic Area, the following provisions shall apply: (a) the Supplier shall submit a request for Variation to the Customer which shall be dealt with in accordance with the Variation Procedure and paragraphs 19.4.2.12(b) to 19.4.2.12(d) below; (b) the Supplier shall set out in its request for a Variation details of the following: (i) the Personal Data which will be Processed and/or transferred outside the European Economic Area; (ii) the country or countries in which the Personal Data will be Processed and/or to which the Personal Data will be transferred outside the European Economic Area; (iii) any Sub-contractors or other third parties who will be Processing and/or transferring Personal Data outside the European Economic Area; (c) how the Supplier will ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Customer‟s compliance with the Data Protection Legislation) in respect of the Personal Data that will be Processed and/or transferred outside the European Economic Area; and (d) the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: (i) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) in this Contract or a separate data processing agreement between the Parties; and (ii) procuring that any Sub-contractor or other third party who will be Processing and/or transferring the Personal Data outside the European Economic Area without enters into a direct data processing agreement with the prior written consent Customer on such terms as may be required by the Customer, which the Supplier acknowledges may include the incorporation of standard and/or model clauses (which are approved by the Authority and, where the Authority consents to a transfer, to comply with: 18.2.12.1 the obligations of a Data Controller European Commission as offering adequate safeguards under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 any reasonable instructions notified to it by the AuthorityLegislation). 18.3 19.4.3 The Contractor Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the this Contract in such a way as to cause the Authority Customer to breach any of its applicable obligations under the Data Protection Legislation.

Protection of Personal Data. 18.1 6.1.1 With respect to the Parties' rights and obligations under the Contract, the Parties agree that the Authority is the Data Controller and that the Contractor Supplier is the Data ProcessorProcessor in relation to the Authority’s Personal Data. 18.2 6.1.2 The Contractor Supplier shall: 18.2.1 6.1.2.1 Process the Authority’s Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in the Contract or as otherwise notified by the Authority to the Contractor Supplier during the Term) and term of the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to timeContract); 18.2.2 6.1.2.2 Process the Authority’s Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Contract Services or as is required by Law or any Regulatory Body; 18.2.3 6.1.2.3 implement appropriate technical and organisational measures to protect the Authority’s Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Authority’s Personal Data and having regard to the nature of the Authority’s Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 6.1.2.4 take reasonable steps to ensure the reliability of any Contractorall members of the Supplier’s Personnel Staff who have access to the Authority’s Personal Data; 18.2.5 6.1.2.5 obtain the Authority’s prior written consent from the Authority approval in order to transfer all or any of the Authority’s Personal Data to any subSub-contractors or affiliates Contractors for the provision of the Contract Services; 18.2.6 6.1.2.6 ensure that all Contractormembers of the Supplier’s Personnel Staff required to access the Authority’s Personal Data are informed of the confidential nature of the Authority’s Personal Data and comply with the obligations set out in this clause 18Clause 6.1; 18.2.7 6.1.2.7 ensure that none of the ContractorSupplier’s Personnel Staff publish, disclose or divulge any of the Authority’s Personal Data to any third party unless directed in writing to do so by the Authority; 18.2.8 6.1.2.8 notify the Authority (within five (5) Working Days) Days if it the Supplier receives: 18.2.8.1 (a) a request from a Data Subject to have access to the Authority’s Personal Data relating to that person's Personal Data; or 18.2.8.2 (b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation; 18.2.9 6.1.2.9 provide the Authority with full co-operation cooperation and assistance in relation to any complaint or request mademade relating to the Authority’s Personal Data, including by: 18.2.9.1 (a) providing the Authority with full details of the complaint or request; 18.2.9.2 (b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions; 18.2.9.3 (c) providing the Authority with any Authority’s Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the Authority); and 18.2.9.4 (d) providing the Authority with any information requested by the Authority; 18.2.10 6.1.2.10 permit or procure permission for the Authority and/or the Authority’s Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the ContractorSupplier's data Processing activities (and/or and / or those of its Personnelagents and Sub- Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or and / or procure that the Contractor Supplier is in full compliance with its obligations under the Contract; 18.2.11 6.1.2.11 provide a written description of the technical and organisational methods employed by the Contractor Supplier for processing Processing the Authority’s Personal Data (within the timescales required by the Authority); and 18.2.12 6.1.2.12 not Process or otherwise transfer any Authority’s Personal Data outside the European Economic Area without the prior written consent of the Authority and, where which may be given on such terms as the Authority consents to a transfer, to comply with: 18.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 any reasonable instructions notified to it by the Authorityits discretion thinks fit. 18.3 6.1.3 The Contractor Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation. 6.1.4 The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to the Authority’s Personal Data that the Authority may be irreparably harmed (including harm to its reputation). In such circumstances, the Authority may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach). 6.1.5 In the event that through any failure by the Supplier to comply with its obligations under the Contract, Authority’s Personal Data is transmitted or Processed in connection with the Contract is either lost or sufficiently degraded so as to be unusable, the Supplier shall be liable for the cost of reconstitution of that data and shall reimburse the Authority in respect of any charge levied for its transmission and any other costs charged in connection with such failure by the Supplier.

Protection of Personal Data. 18.1 17.5.1 With respect to the Parties' rights and obligations under the this Contract, the Parties agree that the Authority Customer is the Data Controller and that the Contractor Supplier is the Data Processor. 18.2 The Contractor shall: 18.2.1 17.5.2.1 Process the Personal Data only in accordance with instructions from the Authority Customer (which may be specific instructions or instructions of a general nature as set out in the this Contract or as otherwise notified by the Authority Customer to the Contractor Supplier during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to timeContract Period); 18.2.2 17.5.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services and Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 17.5.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 17.5.2.4 take reasonable steps to ensure the reliability of any Contractor’s Personnel Staff who have access to the Personal Data; 18.2.5 17.5.2.5 obtain prior written consent from the Authority Approval in order to transfer the Personal Data to any subSub-contractors or affiliates Affiliates for the provision of the ServicesServices and Goods; 18.2.6 17.5.2.6 ensure that all Contractor’s Personnel Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 1817.5; 18.2.7 17.5.2.7 ensure that none of the Contractor’s Personnel Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCustomer; 18.2.8 17.5.2.8 notify the Authority Customer (within five (5) Working Days) if it receives: 18.2.8.1 (a) a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 (b) a complaint or request relating to the AuthorityCustomer's obligations under the Data Protection Legislation; 18.2.9 17.5.2.9 provide the Authority Customer with full co-operation cooperation and assistance in relation to any complaint or request made, including by: 18.2.9.1 (a) providing the Authority Customer with full details of the complaint or request; 18.2.9.2 (b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the AuthorityCustomer's instructions; 18.2.9.3 (c) providing the Authority Customer with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the AuthorityCustomer); and 18.2.9.4 (d) providing the Authority Customer with any information requested by the Authority; 18.2.10 Customer; 17.5.2.10 permit the Authority Customer or the Customer Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the ContractorSupplier's data Processing activities (and/or those of its Personnelagents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Authority Customer to enable the Authority Customer to verify and/or procure that the Contractor Supplier is in full compliance with its obligations under the this Contract; 18.2.11 provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and 18.2.12 not Process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: 18.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 any reasonable instructions notified to it by the Authority. 18.3 The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.

Protection of Personal Data. 18.1 20.5.1 With respect to the Partiesparties' rights and obligations under the this Contract, the Parties parties agree that the Authority Customer is the Data Controller and that the Contractor Supplier is the Data Processor. 18.2 20.5.2 The Contractor Supplier shall: 18.2.1 20.5.2.1 Process the Personal Data only in accordance with instructions from the Authority Customer (which may be specific instructions or instructions of a general nature as set out in the this Contract or as otherwise notified by the Authority Customer to the Contractor Supplier during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to timeContract Period); 18.2.2 20.5.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 20.5.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 20.5.2.4 take reasonable steps to ensure the reliability of any Contractor’s Personnel Staff who have access to the Personal Data; 18.2.5 20.5.2.5 obtain prior written consent from the Authority Approval in order to transfer the Personal Data to any subSub-contractors or affiliates Affiliates for the provision of the Services; 18.2.6 20.5.2.6 ensure that all Contractor’s Personnel Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 1820.5; 18.2.7 20.5.2.7 ensure that none of the Contractor’s Personnel Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCustomer; 18.2.8 20.5.2.8 notify the Authority Customer (within five (5) Working Days) if it receives: 18.2.8.1 (a) a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 (b) a complaint or request relating to the AuthorityCustomer's obligations under the Data Protection Legislation; 18.2.9 20.5.2.9 provide the Authority Customer with full co-operation cooperation and assistance in relation to any complaint or request made, including by: 18.2.9.1 (a) providing the Authority Customer with full details of the complaint or request; 18.2.9.2 (b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the AuthorityCustomer's instructions; 18.2.9.3 (c) providing the Authority Customer with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the AuthorityCustomer); and 18.2.9.4 (d) providing the Authority Customer with any information requested by the AuthorityCustomer; 18.2.10 20.5.2.10 permit the Authority Customer or the Customer Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the ContractorSupplier's data Processing activities (and/or those of its Personnelagents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Authority Customer to enable the Authority Customer to verify and/or procure that the Contractor Supplier is in full compliance with its obligations under the this Contract; 18.2.11 20.5.2.11 provide a written description of the technical and organisational methods employed by the Contractor Supplier for processing Personal Data (within the timescales required by the AuthorityCustomer); and 18.2.12 20.5.2.12 not Process or otherwise transfer any Personal Data outside the European Economic Area. If, after the Commencement Date, the Supplier (or any Sub-contractor) wishes to Process and/or transfer any Personal Data outside the European Economic Area, the following provisions shall apply: (a) the Supplier shall submit a request for Variation to the Customer which shall be dealt with in accordance with the Variation Procedure and paragraph (b) to (d) below; (b) the Supplier shall set out in its request for a Variation details of the following: (i) the Personal Data which will be Processed and/or transferred outside the European Economic Area; (ii) the country or countries in which the Personal Data will be Processed and/or to which the Personal Data will be transferred outside the European Economic Area; (iii) any Sub-contractors or other third parties who will be Processing and/or transferring Personal Data outside the European Economic Area; and (iv) how the Supplier will ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Customer‟s compliance with the Data Protection Legislation) in respect of the Personal Data that will be Processed and/or transferred outside the European Economic Area; (c) in providing and evaluating the request for Variation, the parties shall ensure that they have regard to and comply with then-current Customer, Government and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the European Economic Area without and/or overseas generally; and (d) the prior written consent of Supplier shall comply with such other instructions and shall carry out such other actions as the Authority andCustomer may notify in writing, where the Authority consents to a transfer, to comply withincluding: 18.2.12.1 (i) incorporating standard and/or model clauses (which are approved by the obligations of a Data Controller European Commission as offering adequate safeguards under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferredLegislation) in this Contract or a separate data processing agreement between the parties; and 18.2.12.2 (ii) procuring that any reasonable instructions notified to it Sub-contractor or other third party who will be Processing and/or transferring the Personal Data outside the European Economic Area enters into a direct data processing agreement with the Customer on such terms as may be required by the AuthorityCustomer, which the Supplier acknowledges may include the incorporation of standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation). 18.3 20.5.3 The Contractor Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the this Contract in such a way as to cause the Authority Customer to breach any of its applicable obligations under the Data Protection Legislation.

Protection of Personal Data. 18.1 18.3.1 With respect to the Partiesparties' rights and obligations under the Contractthis Agreement, the Parties parties agree that the Authority CPS is the Data Controller and that the Contractor is the Data Processor. 18.2 18.3.2 The Contractor shall: 18.2.1 18.3.3 Process the Personal Data only in accordance with instructions from the Authority CPS (which may be specific instructions or instructions of a general nature as set out in the Contract this Agreement or as otherwise notified by the Authority CPS to the Contractor during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to time); 18.2.2 18.3.4 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 implement 18.3.5 Implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 take 18.3.6 Take reasonable steps to ensure the reliability of any Contractor’s Contractor Personnel who have access to the Personal Data; 18.2.5 obtain 18.3.7 Obtain prior written consent from the Authority CPS in order to transfer the Personal Data to any subSub-contractors or affiliates Affiliates for the provision of the Services; 18.2.6 ensure 18.3.8 Ensure that all Contractor’s Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 1818.0; 18.2.7 ensure 18.3.9 Ensure that none of the Contractor’s Contractor Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCPS; 18.2.8 notify 18.3.10 Notify the Authority CPS within 5 (within five five) Working Days) Days if it receives: 18.2.8.1 a 18.3.10.1 A request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 a 18.3.10.2 A complaint or request relating to the Authority's CPS’ obligations under the Data Protection Legislation; 18.2.9 18.3.11 provide the Authority CPS with full co-operation cooperation and assistance in relation to any complaint or request made, including by: 18.2.9.1 18.3.11.1 providing the Authority CPS with full details of the complaint or request; 18.2.9.2 18.3.11.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's CPS’ instructions; 18.2.9.3 18.3.11.3 providing the Authority CPS with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the AuthorityCPS); and 18.2.9.4 18.3.11.4 providing the Authority CPS with any information requested by the AuthorityCPS; 18.2.10 18.3.12 permit the Authority CPS or the CPS Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25(Audits), the Contractor's data Processing activities (and/or those of its Personnelagents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Authority CPS to enable the Authority CPS to verify and/or procure that the Contractor is in full compliance with its obligations under the Contractthis Agreement; 18.2.11 provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and 18.2.12 not Process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: 18.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 any reasonable instructions notified to it by the Authority. 18.3 The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.

Protection of Personal Data. 18.1 With respect to the Parties' rights and obligations under the Contract, the Parties agree that the Authority Financial Ombudsman Service is the Data Controller and that the Contractor is the Data Processor. 18.2 The Contractor shall: 18.2.1 Process process the Personal Data only in accordance with instructions from the Authority Financial Ombudsman Service (which may be specific instructions or instructions of a general nature as set out in the Contract or as otherwise notified by the Authority Financial Ombudsman Service to the Contractor during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E C (Information Security) and HM Government Security Framework as updated from time to time); 18.2.2 Process process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E C (Information Security); 18.2.4 take reasonable steps to ensure the reliability of any Contractor’s Personnel who have access to the Personal Data; 18.2.5 obtain prior written consent from the Authority Financial Ombudsman Service in order to transfer the Personal Data to any sub-sub- contractors or affiliates for the provision of the Services; 18.2.6 ensure that all Contractor’s Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 18; 18.2.7 ensure that none of the Contractor’s Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityFinancial Ombudsman Service; 18.2.8 notify the Authority Financial Ombudsman Service (within five Working Days) if it receives: 18.2.8.1 a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 a complaint or request relating to the AuthorityFinancial Ombudsman Service's obligations under the Data Protection Legislation; 18.2.9 provide the Authority Financial Ombudsman Service with full co-operation and assistance in relation to any complaint or request made, including by: 18.2.9.1 providing the Authority Financial Ombudsman Service with full details of the complaint or request; 18.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the AuthorityFinancial Ombudsman Service's instructions; 18.2.9.3 providing the Authority Financial Ombudsman Service with any Personal Data it holds in relation to a Data Subject, within the timescales required by the AuthorityFinancial Ombudsman Service; and 18.2.9.4 providing the Authority Financial Ombudsman Service with any information requested by the AuthorityFinancial Ombudsman Service; 18.2.10 permit the Authority Financial Ombudsman Service (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 2524, the Contractor's data Processing activities (and/or those of its Personnel) and comply with all reasonable requests or directions by the Authority Financial Ombudsman Service to enable the Authority Financial Ombudsman Service to verify and/or procure that the Contractor is in full compliance with its obligations under the Contract; 18.2.11 provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the AuthorityFinancial Ombudsman Service); and 18.2.12 not Process Personal Data outside the European Economic Area without the prior written consent of the Authority Financial Ombudsman Service and, where the Authority Financial Ombudsman Service consents to a transfer, to comply with: 18.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 any reasonable instructions notified to it by the AuthorityFinancial Ombudsman Service. 18.3 The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Authority Financial Ombudsman Service to breach any of its applicable obligations under the Data Protection Legislation.

Protection of Personal Data. 18.1 18.1. With respect to the Parties' rights and obligations under the Contract, the Parties agree that the Authority is the Data Controller and that the Contractor is the Data Processor. 18.2 18.2. The Contractor shall: 18.2.1 18.2.1. Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in the Contract or as otherwise notified by the Authority to the Contractor during the TermContract Period) and the Contractor shall at the very least comply with the provisions of Schedule E (the Information Security) and HM Government Security Framework as updated from time to timeSchedule; 18.2.2 18.2.2. Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 18.2.3. implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security); 18.2.4 18.2.4. take reasonable steps to ensure the reliability of any Contractor’s Personnel who have access to the Personal Data; 18.2.5 18.2.5. obtain prior written consent from the Authority in order to transfer the Personal Data to any sub-contractors or affiliates for the provision of the Services; 18.2.6 18.2.6. ensure that all Contractor’s Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 18; 18.2.7 18.2.7. ensure that none of the Contractor’s Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority; 18.2.8 18.2.8. notify the Authority (within five Working Days) if it receives: 18.2.8.1 18.2.8.1. a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 18.2.8.2. a complaint or request relating to the Authority's obligations under the Data Protection Legislation; 18.2.9 18.2.9. provide the Authority with full co-operation and assistance in relation to any complaint or request made, including by: 18.2.9.1 18.2.9.1. providing the Authority with full details of the complaint or request; 18.2.9.2 18.2.9.2. complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions; 18.2.9.3 ; 18.2.9.3. providing the Authority with any Personal Data it holds in relation to a Data Subject, within the timescales required by the Authority; and 18.2.9.4 providing the Authority with any information requested by the Authority; 18.2.10 permit the Authority (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the Contractor's data Processing activities (and/or those of its Personnel) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Contractor is in full compliance with its obligations under the Contract; 18.2.11 provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and 18.2.12 not Process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: 18.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 any reasonable instructions notified to it by the Authority. 18.3 The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.

Protection of Personal Data. 18.1 With respect to 12.1 The SFC shall be registered under the Parties' rights DPA and both Parties will duly observe all of their applicable obligations under the ContractDPA, which arise in connection with the Parties agree that the Authority is the Data Controller and that the Contractor is the Data ProcessorESFA Conditions of Funding. 18.2 12.2 The Contractor shall: 18.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in the Contract or as otherwise notified by the Authority to the Contractor during the Term) and the Contractor Parties shall at the very least all times comply with their applicable obligations under the provisions of Schedule E (Information Security) DPA and HM Government Security Framework all subordinate and related legislation as updated enacted from time to time; 18.2.2 Process . Both Parties acknowledge that they are Data Controllers in common of the Personal Data only to collected and held by the extentSFC in performing the Services. 12.3 Notwithstanding the general obligation in Part Two clause 12.1, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body;SFC shall: 18.2.3 12.3.1 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 12.3.2 take reasonable steps to ensure the reliability of any Contractor’s Personnel staff who have access to the Personal Data; 18.2.5 obtain prior written consent from the Authority in order to transfer the Personal Data to any sub-contractors or affiliates for the provision of the Services; 18.2.6 12.3.3 ensure that all Contractor’s Personnel staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the applicable obligations set out in this clause 18ESFA Conditions of Funding; 18.2.7 12.3.4 ensure that none of the Contractor’s Personnel staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authorityauthorised; 18.2.8 notify the Authority (within five Working Days) if it receives: 18.2.8.1 a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 a complaint or request relating to the Authority's obligations under the Data Protection Legislation; 18.2.9 12.3.5 provide the Authority ESFA with full co-operation cooperation and assistance in relation to any complaint or request madethat the ESFA receives about Personal Data, including by:; 18.2.9.1 (a) providing the Authority with full details of the complaint or request; 18.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions; 18.2.9.3 providing the Authority ESFA with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the AuthorityESFA) to assist the ESFA to respond to a data access request that the ESFA has received; and 18.2.9.4 (b) providing the Authority ESFA with any information requested by the AuthorityESFA; 18.2.10 12.3.6 permit the Authority ESFA or the ESFA’s representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, audit the ContractorSFC's data Data Processing activities (and/or those of its Personnelagents, subsidiaries and sub-contractors) and comply with all reasonable requests or directions by the Authority ESFA to enable the Authority ESFA to verify and/or procure that the Contractor SFC is in full compliance with its obligations under the Contractthis ESFA Conditions of Funding; 18.2.11 provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and 18.2.12 not Process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: 18.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 any reasonable instructions notified to it by the Authority. 18.3 The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.

Protection of Personal Data. 18.1 With respect to 12.1 THE COLLEGE shall be registered under the Parties' rights DPA and both Parties will duly observe all of their applicable obligations under the ContractDPA, the Parties agree that the Authority is the Data Controller and that the Contractor is the Data Processorwhich arise in connection with THE ESFA Conditions of Funding. 18.2 12.2 The Contractor shall: 18.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in the Contract or as otherwise notified by the Authority to the Contractor during the Term) and the Contractor Parties shall at the very least all times comply with their applicable obligations under the provisions of Schedule E (Information Security) DPA and HM Government Security Framework all subordinate and related legislation as updated enacted from time to time; 18.2.2 Process . Both Parties acknowledge that they are Data Controllers in common of the Personal Data only to collected and held by THE COLLEGE in performing the extentServices. 12.3 Notwithstanding the general obligation in part two clause 12.1, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body;THE COLLEGE shall: 18.2.3 12.3.1 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 12.3.2 take reasonable steps to ensure the reliability of any Contractor’s Personnel Staff who have access to the Personal Data; 18.2.5 obtain prior written consent from the Authority in order to transfer the Personal Data to any sub-contractors or affiliates for the provision of the Services; 18.2.6 12.3.3 ensure that all Contractor’s Personnel Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the applicable obligations set out in this clause 18ESFA Conditions of Funding; 18.2.7 12.3.4 ensure that none of the Contractor’s Personnel Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authorityauthorised; 18.2.8 notify the Authority (within five Working Days) if it receives: 18.2.8.1 a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 a complaint or request relating to the Authority's obligations under the Data Protection Legislation; 18.2.9 12.3.5 provide the Authority THE ESFA with full co-operation cooperation and assistance in relation to any complaint or request madethat THE ESFA receives about Personal Data, including by: 18.2.9.1 providing the Authority with full details of the complaint or request; 18.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions; 18.2.9.3 (a) providing the Authority THE ESFA with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the AuthorityTHE ESFA) to assist THE ESFA to respond to a data access request that THE ESFA has received; and 18.2.9.4 (b) providing the Authority THE ESFA with any information requested by the AuthorityTHE ESFA; 18.2.10 12.3.6 permit the Authority THE ESFA or THE ESFA’s representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the Contractoraudit THE COLLEGE's data Data Processing activities (and/or those of its Personnelagents, subsidiaries and sub-contractors) and comply with all reasonable requests or directions by the Authority THE ESFA to enable the Authority THE ESFA to verify and/or procure that the Contractor THE COLLEGE is in full compliance with its obligations under the Contractthis ESFA Conditions of Funding; 18.2.11 provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and 18.2.12 not Process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: 18.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 any reasonable instructions notified to it by the Authority. 18.3 The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.

Protection of Personal Data. 18.1 ‌ 19.5.1 With respect to the Partiesparties' rights and obligations under the this Contract, the Parties parties agree that the Authority Customer is the Data Controller and that the Contractor Supplier is the Data Processor. 18.2 19.5.2 The Contractor Supplier shall: 18.2.1 19.5.2.1 Process the Personal Data only in accordance with instructions from the Authority Customer (which may be specific instructions or instructions of a general nature as set out in the this Contract or as otherwise notified by the Authority Customer to the Contractor Supplier during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to timeContract Period); 18.2.2 19.5.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; 18.2.3 19.5.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 19.5.2.4 take reasonable steps to ensure the reliability of any Contractor’s Personnel Staff who have access to the Personal Data; 18.2.5 19.5.2.5 obtain prior written consent from the Authority Approval in order to transfer the Personal Data to any subSub-contractors or affiliates Affiliates for the provision of the Services; 18.2.6 19.5.2.6 ensure that all Contractor’s Personnel Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 1819.5; 18.2.7 19.5.2.7 ensure that none of the Contractor’s Personnel Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCustomer; 18.2.8 19.5.2.8 notify the Authority Customer (within five (5) Working Days) if it receives: 18.2.8.1 (a) a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 (b) a complaint or request relating to the AuthorityCustomer's obligations under the Data Protection Legislation; 18.2.9 19.5.2.9 provide the Authority Customer with full co-operation cooperation and assistance in relation to any complaint or request made, including by: 18.2.9.1 (a) providing the Authority Customer with full details of the complaint or request; 18.2.9.2 (b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the AuthorityCustomer's instructions; 18.2.9.3 (c) providing the Authority Customer with any Personal Data it holds in relation to a Data Subject, within the timescales required by the Authority; and 18.2.9.4 providing the Authority with any information requested by the Authority; 18.2.10 permit the Authority (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the Contractor's data Processing activities (and/or those of its Personnel) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Contractor is in full compliance with its obligations under the Contract; 18.2.11 provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data Subject (within the timescales required by the AuthorityCustomer); and 18.2.12 not Process Personal Data outside (d) providing the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: 18.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to Customer with any Personal Data that is transferred; and 18.2.12.2 any reasonable instructions notified to it information requested by the Authority. 18.3 The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.Customer;

Protection of Personal Data. 18.1 17.1 With respect to the Partiesparties' rights and obligations under the this Contract, the Parties parties agree that the Authority CUSTOMER is the Data Controller and that the Contractor SERVICE PROVIDER is the Data Processor. 18.2 17.2 The Contractor SERVICE PROVIDER shall: 18.2.1 17.2.1 Process the Personal Data only in accordance with instructions from the Authority CUSTOMER (which may be specific instructions or instructions of a general nature as set out in the this Contract or as otherwise notified by the Authority CUSTOMER to the Contractor SERVICE PROVIDER during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to time); 18.2.2 17.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Ordered Information Management & Learning Services or as is required by Law or any Regulatory Body; 18.2.3 17.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 17.2.4 take all reasonable steps endeavours to ensure the reliability of any Contractor’s SERVICE PROVIDER‟s Personnel who have access to the Personal Data; 18.2.5 17.2.5 obtain prior written consent Approval from the Authority CUSTOMER in order to transfer the Personal Data to any subSub-contractors Contractors or affiliates Affiliates for the provision of the Ordered Information Management & Learning Services; 18.2.6 17.2.6 ensure that all Contractor’s SERVICE PROVIDER‟s Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 18Clause 17.2; 18.2.7 17.2.7 ensure that none of the Contractor’s SERVICE PROVIDER Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCUSTOMER; 18.2.8 17.2.8 notify the Authority (CUSTOMER within five (5) Working Days) Days if it receives: 18.2.8.1 17.2.8.1 a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 17.2.8.2 a complaint or request relating to the AuthorityCUSTOMER's obligations under the Data Protection Legislation; 18.2.9 17.2.9 provide the Authority CUSTOMER with full co-operation cooperation and assistance in relation to any complaint or request made, including by: 18.2.9.1 17.2.9.1 providing the Authority CUSTOMER with full details of the complaint or request; 18.2.9.2 17.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the AuthorityCUSTOMER's instructions; 18.2.9.3 17.2.9.3 providing the Authority CUSTOMER with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the AuthorityCUSTOMER); and 18.2.9.4 17.2.9.4 providing the Authority CUSTOMER with any information requested by the Authority;CUSTOMER. 18.2.10 17.2.10 permit the Authority CUSTOMER or the [CUSTOMER‟s representative] (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25Clause 37, the ContractorSERVICE PROVIDER's data Processing activities (and/or those of its Personnelagents, subsidiaries and Sub- Contractors) and comply with all reasonable requests or directions by the Authority CUSTOMER to enable the Authority CUSTOMER to verify and/or procure that the Contractor SERVICE PROVIDER is in full compliance with its obligations under the this Contract; 18.2.11 17.2.11 provide a written description of the technical and organisational methods employed by the Contractor SERVICE PROVIDER for processing Personal Data (within the timescales required by the AuthorityCUSTOMER); and 18.2.12 17.2.12 not Process or otherwise transfer any Personal Data outside the European Economic Area. If, after the Commencement Date, the SERVICE PROVIDER (or any Sub-Contractor) wishes to Process and/or transfer any Personal Data outside the European Economic Area, the following provisions shall apply: 17.2.12.1 the SERVICE PROVIDER shall submit a Contract Change Note to the CUSTOMER which shall be dealt with in accordance with the Contract Change Procedure and Clauses 17.2.12.2 to 17.2.12.4 below; 17.2.12.2 the SERVICE PROVIDER shall set out in its Contract Change Note (and/or impact assessment) details of the following: (a) the Personal Data which will be Processed and/or transferred outside the United Kingdom; (b) the country or countries in which the Personal Data will be Processed and/or to which the Personal Data will be transferred outside the United Kingdom; (c) any Sub-Contractors or other third parties who will be Processing and/or transferring Personal Data outside the United Kingdom; and (d) how the SERVICE PROVIDER will ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the CUSTOMER‟s compliance with the Data Protection Legislation) in respect of the Personal Data that will be Processed and/or transferred outside the United Kingdom; 17.2.12.3 in providing and evaluating the Contract Change Note, the Parties shall ensure that they have regard to and comply with then-current CUSTOMER, Government and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the United Kingdom and/or overseas generally but, for the avoidance of doubt, the CUSTOMER may, in its absolute discretion, refuse to grant Approval of such process and/or transfer any Personal Data outside the UK; and 17.2.12.4 the SERVICE PROVIDER shall comply with such other instructions and shall carry out such other actions as the CUSTOMER may notify in writing, including where the SERVICE PROVIDER proposes the Process and/or transfer Personal Data outside of the European Economic Area: (a) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) in this Contract or a separate data processing agreement between the parties; and (b) procuring that any Sub-Contractor or other third party who will be Processing and/or transferring the Personal Data outside the European Economic Area without enters into a direct data processing agreement with the prior written consent CUSTOMER on such terms as may be required by the CUSTOMER, which the SERVICE PROVIDER acknowledges may include the incorporation of standard and/or model clauses (which are approved by the Authority and, where the Authority consents to a transfer, to comply with: 18.2.12.1 the obligations of a Data Controller European Commission as offering adequate safeguards under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 any reasonable instructions notified to it by the AuthorityLegislation). 18.3 17.3 The Contractor SERVICE PROVIDER shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the this Contract in such a way as to cause the Authority CUSTOMER to breach any of its applicable obligations under the Data Protection Legislation. 17.4 The SERVICE PROVIDER acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the CUSTOMER may be irreparably harmed (including harm to its reputation). In such circumstances, the CUSTOMER may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach). 17.5 The SERVICE PROVIDER shall, at all times during and after the Contract Period, fully indemnify the CUSTOMER and keep the CUSTOMER fully indemnified against all losses, damages, costs or expenses and other liabilities (including legal fees) incurred by, awarded against or agreed to be paid by the CUSTOMER arising from any breach of the SERVICE PROVIDER's obligations under this clause 17 except and to the extent that such liabilities have resulted directly from the CUSTOMER's instructions.

Protection of Personal Data. 18.1 15.1 With respect to the Partiesparties' rights and obligations under the this Contract, the Parties parties agree that the Authority Customer is the Data Controller and that the Contractor is the Data Processor. 18.2 15.2 The Contractor shall: 18.2.1 15.2.1 Process the Personal Data only in accordance with instructions from the Authority Customer (which may be specific instructions or instructions of a general nature as set out in the this Contract or as otherwise notified by the Authority Customer to the Contractor during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to time); 18.2.2 15.2.2 Process the Personal Data only to the extent, and in such manner, as is directly necessary for the provision of compliance by the Goods or Services Contractor with its obligations under this Contract or as is required by Law or any Regulatory Body; 18.2.3 15.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 15.2.4 take reasonable steps to ensure the reliability of any Contractor’s Contractor Personnel who have access to the Personal Data; 18.2.5 15.2.5 obtain prior written consent from the Authority Customer in order to transfer the Personal Data to any subSub-contractors Contractors or affiliates Affiliates for the provision of the ServicesOrdered IT Products; 18.2.6 15.2.6 ensure that all Contractor’s Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 18Clause 15; 18.2.7 15.2.7 ensure that none of the Contractor’s Contractor Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCustomer; 18.2.8 15.2.8 notify the Authority Customer (within five (5) Working Days) if it receives: 18.2.8.1 (a) a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 (b) a complaint or request relating to the AuthorityCustomer's obligations under the Data Protection Legislation; 18.2.9 15.2.9 provide the Authority Customer with full co-operation cooperation and assistance in relation to any complaint or request made, including by: 18.2.9.1 (a) providing the Authority Customer with full details of the complaint or request; 18.2.9.2 (b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the AuthorityCustomer's instructions; 18.2.9.3 (c) providing the Authority Customer with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the AuthorityCustomer); and 18.2.9.4 (d) providing the Authority Customer with any information requested by the AuthorityCustomer; 18.2.10 15.2.10 permit the Authority Customer or its approved representatives (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, audit the Contractor's data Processing activities (and/or those of its Personnelagents, subsidiaries and Sub- Contractors) and comply with all reasonable requests or directions by the Authority Customer to enable the Authority Customer to verify and/or procure that the Contractor is in full compliance with its obligations under the this Contract; 18.2.11 15.2.11 provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the AuthorityCustomer); and 18.2.12 15.2.12 not Process or otherwise transfer any Personal Data outside the European Economic Area. If, after the Effective Date, the Contractor (or any Sub- Contractor) wishes to Process and/or transfer any Personal Data outside the European Economic Area, the following provisions shall apply: (a) the Contractor shall submit an Contract Change Note to the Customer which shall be dealt with in accordance with the Contract Change Procedure and Clauses (b) to (d) below; (b) the Contractor shall set out in its Contract Change Note (and/or impact assessment) details of the following: i the Personal Data which will be Processed and/or transferred outside the European Economic Area; ii the country or countries in which the Personal Data will be Processed and/or to which the Personal Data will be transferred outside the European Economic Area; iii any Sub-Contractors or other third parties who will be Processing and/or transferring Personal Data outside the European Economic Area; and iv how the Contractor will ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Customer’s compliance with the Data Protection Legislation) in respect of the Personal Data that will be Processed and/or transferred outside the European Economic Area; (c) in providing and evaluating the Contract Change Note, the parties shall ensure that they have regard to and comply with then-current Customer, Government and Information Commissioner's Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the European Economic Area without and/or overseas generally; and (d) the prior written consent of Contractor shall comply with such other instructions and shall carry out such other actions as the Authority andCustomer may notify in writing, where including: i incorporating standard and/or model clauses (which are approved by the Authority consents to a transfer, to comply with: 18.2.12.1 the obligations of a Data Controller European Commission as offering adequate safeguards under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to Legislation) in this Contract or a separate data processing agreement between the parties; and ii procuring that any Sub-Contractor or other third party who will be Processing and/or transferring the Personal Data that is transferred; and 18.2.12.2 any reasonable instructions notified to it outside the European Economic Area enters into a direct data processing agreement with the Customer on such terms as may be required by the AuthorityCustomer, which the Contractor acknowledges may include the incorporation of standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation). 18.3 15.3 The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the this Contract in such a way as to cause the Authority Customer to breach any of its applicable obligations under the Data Protection Legislation.

Protection of Personal Data. 18.1 17.1 With respect to the Parties' rights and obligations under the this Contract, the Parties parties agree that the Authority is the Data Controller and that the Contractor is the Data Processor. 18.2 17.2 The Contractor shall: 18.2.1 Process 17.2.1 process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in the this Contract or as otherwise notified by the Authority to the Contractor during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to timecontract); 18.2.2 Process 17.2.2 process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law law or any Regulatory Bodyregulatory body; 18.2.3 17.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processingprocessing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 take reasonable steps 17.2.4 use best endeavours to ensure the reliability of any Contractor’s Personnel Staff who have access to the Personal Data; 18.2.5 17.2.5 obtain prior written consent from the Authority in order to before transfer of the Personal Data to any sub-contractors or affiliates agents or consultants for the provision of the Services; 18.2.6 17.2.6 ensure that all Contractor’s Personnel Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 18Condition 17; 18.2.7 17.2.7 ensure that none of the Contractor’s Personnel no Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityAuthority has granted its written consent; 18.2.8 17.2.8 notify the Authority (within five Working Days) working days if it receives: 18.2.8.1 17.2.8.1 a request from a Data Subject to have for access to that person's Personal Data; or 18.2.8.2 17.2.8.2 a complaint or request relating to the Authority's obligations under the Data Protection Legislationlegislation; 18.2.9 17.2.9 provide the Authority with full co-operation cooperation and assistance in relation to any complaint or request made, including by: 18.2.9.1 17.2.9.1 providing the Authority with full details of the complaint or request; 18.2.9.2 17.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation Act 1998 and in accordance with the Authority's instructions; 18.2.9.3 17.2.9.3 providing the Authority with any Personal Data it holds in relation to a Data Subject, Subject (within the timescales required by the Authority); and 18.2.9.4 17.2.9.4 providing the Authority with any information requested by the Authority; 18.2.10 17.2.10 permit the Authority or the Authority Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25Condition 20 (Right of Audit), the Contractor's data Processing processing activities (and/or those of its Personnelagents, and sub-contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Contractor is in full compliance with its obligations under the Contractthis Agreement; 18.2.11 17.2.11 provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and 18.2.12 17.2.12 not Process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: 18.2.12.1 17.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 17.2.12.2 any reasonable instructions notified to it by the Authority. 18.3 17.3 The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the this Contract in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection LegislationAct 1998.

Protection of Personal Data. 18.1 42.2.1 With respect to the Parties' parties’ rights and obligations under the this Contract, the Parties agree Council and the Contractor recognise that the Authority Council is the Data Controller and that the Contractor is the Data Processor. 18.2 42.2.2 The Contractor shall:shall:- 18.2.1 42.2.2.1 Process the Personal Data only in accordance with written instructions from the Authority Council (which may be specific instructions or instructions of a general nature as set out in the this Contract or as otherwise notified by the Authority Council to the Contractor during the Term) and the Contractor shall at the very least comply with the provisions of Schedule E (Information Security) and HM Government Security Framework as updated from time to timeContractor); 18.2.2 42.2.2.2 Process the Personal Data only to the extent, and in such a manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Bodyregulatory body; 18.2.3 implement 42.2.2.3 Implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processingprocessing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security)protected; 18.2.4 take 42.2.2.4 Take every reasonable precaution to ensure that Authority Data is divulged only to Employees where necessary for the provision of the Services and only to the extent essential to each Employee’s role in the provision of the Services; 42.2.2.5 Take reasonable steps to ensure the reliability of any Contractor’s Personnel Employees who have access to the Personal Data, including but not limited to, Disclosure and Barring Service checks; 18.2.5 obtain 42.2.2.6 Ensure that Employees are trained on a continuing basis to ensure adherence to clauses 1 and 2 of these Special Terms and Conditions; 42.2.2.7 Obtain prior written consent from the Authority Council in order to transfer the Personal Data to any sub-contractors or affiliates for the provision of the Services; 18.2.6 ensure 42.2.2.8 Ensure that all Contractor’s Personnel required Employees who have access to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 18;clauses 1 and 2 of these Special Terms and Conditions; and 18.2.7 ensure 42.2.2.9 Ensure that none of the Contractor’s Personnel Employees publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority; 18.2.8 notify the Authority (within five Working Days) if it receives: 18.2.8.1 a request from a Data Subject to have access to that person's Personal Data; or 18.2.8.2 a complaint or request relating to the Authority's obligations under the Data Protection Legislation; 18.2.9 provide the Authority with full co-operation and assistance in relation to any complaint or request made, including by: 18.2.9.1 providing the Authority with full details of the complaint or request; 18.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions; 18.2.9.3 providing the Authority with any Personal Data it holds in relation to a Data Subject, within the timescales required by the Authority; and 18.2.9.4 providing the Authority with any information requested by the Authority; 18.2.10 permit the Authority (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the Contractor's data Processing activities (and/or those of its Personnel) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Contractor is in full compliance with its obligations under the Contract; 18.2.11 provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and 18.2.12 not Process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: 18.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and 18.2.12.2 any reasonable instructions notified to it by the AuthorityCouncil. 18.3 The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.