Protection of Personal Data. 7.1 With respect to the parties' rights and obligations under this Contract, the parties agree that DFID is the Data Controller and that the Supplier is the Data Processor. 7.2 The Supplier shall: 7.2.1 process the Personal Data only in accordance with instructions from DFID (which may be specific instructions or instructions of a general nature as set out in this Contract or as otherwise notified by DFID to the Supplier during the Term); 7.2.2 process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services or as is required by Law or any Regulatory Body; 7.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; 7.2.4 take reasonable steps to ensure the reliability of any Supplier’s Personnel who have access to the Personal Data; 7.2.5 obtain prior written consent from DFID in order to transfer the Personal Data to any Sub- contractors or Affiliates for the provision of the Services; 7.2.6 ensure that all Supplier’s Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 7; 7.2.7 ensure that none of Supplier’s Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by DFID; 7.2.8 notify DFID (within two Working Days) if it receives: 7.2.8.1 a request from a Data Subject to have access to that person's Personal Data; or 7.2.8.2 a complaint or request relating to DFID’s obligations under the Data Protection Legislation; 7.2.9 provide DFID with full cooperation and assistance in relation to any complaint or request made, including by: 7.2.9.1 providing DFID with full details of the complaint or request; 7.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with DFID’s instructions; 7.2.9.3 providing DFID with any Personal Data it holds in relation to a Data Subject (within the timescales required by DFID); and 7.2.9.4 providing DFID with any information requested by DFID; 7.2.10 permit DFID or its representatives (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 16 (Access and Audit), Supplier’s data processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by DFID to enable DFID to verify and/or procure that the Supplier is in full compliance with its obligations under this Contract;
Appears in 39 contracts
Samples: Supplier Services Agreement, Contract for Providing Technical Assistance Support, Consultancy Services Agreement
Protection of Personal Data. 7.1 With respect to the parties' rights and obligations under this Contract, the parties agree that DFID is the Data Controller and that the Supplier is the Data Processor.
7.2 The Supplier shall:
7.2.1 process the Personal Data only in accordance with instructions from DFID (which may be specific instructions or instructions of a general nature as set out in this Contract or as otherwise notified by DFID to the Supplier during the Term);
7.2.2 process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services or as is required by Law or any Regulatory Body;
7.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
7.2.4 take reasonable steps to ensure the reliability of any Supplier’s Personnel who have access to the Personal Data;
7.2.5 obtain prior written consent from DFID in order to transfer the Personal Data to any Sub- Sub-contractors or Affiliates for the provision of the Services;
7.2.6 ensure that all Supplier’s Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 7;
7.2.7 ensure that none of Supplier’s Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by DFID;
7.2.8 notify DFID (within two Working Days) if it receives:
7.2.8.1 a request from a Data Subject to have access to that person's Personal Data; or
7.2.8.2 a complaint or request relating to DFID’s obligations under the Data Protection Legislation;
7.2.9 provide DFID with full cooperation and assistance in relation to any complaint or request made, including by:
7.2.9.1 providing DFID with full details of the complaint or request;
7.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with DFID’s instructions;
7.2.9.3 providing DFID with any Personal Data it holds in relation to a Data Subject (within the timescales required by DFID); and
7.2.9.4 providing DFID with any information requested by DFID;
7.2.10 permit DFID or its representatives (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 16 (Access and Audit), Supplier’s data processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by DFID to enable DFID to verify and/or procure that the Supplier is in full compliance with its obligations under this Contract;
Appears in 24 contracts
Samples: Supplier Services Agreement, Contract for Supplier Services, Contract for Supplier Services
Protection of Personal Data. 7.1 With respect to the parties' rights and obligations under this Contract, the parties agree that DFID the CUSTOMER is the Data Controller and that the Supplier CONTRACTOR is the Data Processor.
7.2 . The Supplier CONTRACTOR shall:
7.2.1 process : Process the Personal Data only in accordance with instructions from DFID the CUSTOMER (which may be specific instructions or instructions of a general nature as set out in this Contract or as otherwise notified by DFID the CUSTOMER to the Supplier CONTRACTOR during the Term);
7.2.2 process ; Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services Ordered IT Products or as is required by Law or any Regulatory Body;
7.2.3 ; implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processingProcessing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
7.2.4 ; take reasonable steps to ensure the reliability of any Supplier’s CONTRACTOR Personnel who have access to the Personal Data;
7.2.5 ; obtain prior written consent from DFID the CUSTOMER in order to transfer the Personal Data to any Sub- contractors Sub-Contractors or Affiliates for the provision of the Services;
7.2.6 Ordered IT Products; ensure that all Supplier’s CONTRACTOR Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 7;
7.2.7 Clause 15; ensure that none of Supplier’s the CONTRACTOR Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by DFID;
7.2.8 the CUSTOMER; notify DFID the CUSTOMER (within two five (5) Working Days) if it receives:
7.2.8.1 a request from a Data Subject to have access to that person's Personal Data; or
7.2.8.2 a complaint or request relating to DFID’s obligations under the Data Protection Legislation;
7.2.9 provide DFID with full cooperation and assistance in relation to any complaint or request made, including by:
7.2.9.1 providing DFID with full details of the complaint or request;
7.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with DFID’s instructions;
7.2.9.3 providing DFID with any Personal Data it holds in relation to a Data Subject (within the timescales required by DFID); and
7.2.9.4 providing DFID with any information requested by DFID;
7.2.10 permit DFID or its representatives (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 16 (Access and Audit), Supplier’s data processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by DFID to enable DFID to verify and/or procure that the Supplier is in full compliance with its obligations under this Contract;
Appears in 6 contracts
Samples: Commoditised It Hardware and Software Framework Agreement, Commoditised It Hardware and Software Framework Agreement, Contract for Statistical Analysis System (Sas) Licences
Protection of Personal Data. 7.1 17.5.1 With respect to the partiesParties' rights and obligations under this Contract, the parties Parties agree that DFID the Customer is the Data Controller and that the Supplier is the Data Processor.
7.2 17.5.2 The Supplier shall:
7.2.1 process 17.5.2.1 Process the Personal Data only in accordance with instructions from DFID the Customer (which may be specific instructions or instructions of a general nature as set out in this Contract or as otherwise notified by DFID the Customer to the Supplier during the TermContract Period);
7.2.2 process 17.5.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Placement Services or as is required by Law or any Regulatory Body;
7.2.3 17.5.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processingProcessing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
7.2.4 17.5.2.4 take reasonable steps to ensure the reliability of any Supplier’s Personnel Staff who have access to the Personal Data;
7.2.5 17.5.2.5 obtain prior written consent from DFID Approval in order to transfer the Personal Data to any Sub- Sub-contractors or Affiliates for the provision of the Placement Services;
7.2.6 17.5.2.6 ensure that all Supplier’s Personnel Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 717.5;
7.2.7 17.5.2.7 ensure that none of Supplier’s Personnel the Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by DFIDthe Customer;
7.2.8 17.5.2.8 notify DFID the Customer (within two five (5) Working Days) if it receives:
7.2.8.1 (a) a request from a Data Subject to have access to that person's Personal Data; or
7.2.8.2 (b) a complaint or request relating to DFID’s the Customer's obligations under the Data Protection Legislation;
7.2.9 17.5.2.9 provide DFID the Customer with full cooperation and assistance in relation to any complaint or request made, including by:
7.2.9.1 (a) providing DFID the Customer with full details of the complaint or request;
7.2.9.2 (b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with DFID’s the Customer's instructions;
7.2.9.3 (c) providing DFID the Customer with any Personal Data it holds in relation to a Data Subject (within the timescales required by DFIDthe Customer); and
7.2.9.4 (d) providing DFID the Customer with any information requested by DFID;
7.2.10 the Customer; 17.5.2.10 permit DFID the Customer or its representatives the Customer Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 16 (Access and Audit), the Supplier’s 's data processing Processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by DFID the Customer to enable DFID the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Contract;
Appears in 5 contracts
Samples: Framework Agreement, Framework Agreement, Framework Agreement
Protection of Personal Data. 7.1 22.5.1 With respect to the partiesParties' rights and obligations under this Contract, the parties Parties agree that DFID the Customer is the Data Controller and that the Supplier is the Data Processor.
7.2 22.5.2 The Supplier shall:
7.2.1 process 22.5.2.1 Process the Personal Data only in accordance with instructions from DFID the Customer (which may be specific instructions or instructions of a general nature as set out in this Contract or as otherwise notified by DFID the Customer to the Supplier during the TermContract Period);
7.2.2 process 22.5.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services and Goods or as is required by Law or any Regulatory Body;
7.2.3 22.5.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processingProcessing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
7.2.4 22.5.2.4 take reasonable steps to ensure the reliability of any Supplier’s Personnel Staff who have access to the Personal Data;
7.2.5 22.5.2.5 obtain prior written consent from DFID Approval in order to transfer the Personal Data to any Sub- Sub-contractors or Affiliates for the provision of the ServicesServices and Goods;
7.2.6 22.5.2.6 ensure that all Supplier’s Personnel Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 722.5;
7.2.7 22.5.2.7 ensure that none of Supplier’s Personnel the Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by DFIDthe Customer;
7.2.8 22.5.2.8 notify DFID the Customer (within two five (5) Working Days) if it receives:
7.2.8.1 (a) a request from a Data Subject to have access to that person's Personal Data; or
7.2.8.2 (b) a complaint or request relating to DFID’s the Customer's obligations under the Data Protection Legislation;
7.2.9 22.5.2.9 provide DFID the Customer with full cooperation and assistance in relation to any complaint or request made, including by:
7.2.9.1 (a) providing DFID the Customer with full details of the complaint or request;
7.2.9.2 (b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with DFID’s the Customer's instructions;
7.2.9.3 (c) providing DFID the Customer with any Personal Data it holds in relation to a Data Subject (within the timescales required by DFIDthe Customer); and
7.2.9.4 (d) providing DFID the Customer with any information requested by DFIDthe Customer;
7.2.10 22.5.2.10 permit DFID the Customer or its representatives the Customer Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 16 (Access and Audit), the Supplier’s 's data processing Processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by DFID the Customer to enable DFID the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Contract;
22.5.2.11 provide a written description of the technical and organisational methods employed by the Supplier for processing Personal Data (within the timescales required by the Customer); and
22.5.2.12 [not Process or otherwise transfer any Personal Data outside the European Economic Area. If, after the Commencement Date, the Supplier (or any Sub- contractor) wishes to Process and/or transfer any Personal Data outside the European Economic Area, the following provisions shall apply:
(a) the Supplier shall submit a request for Variation to the Customer which shall be dealt with in accordance with the Variation Procedure and paragraph (b) to (d) below;
(b) the Supplier shall set out in its request for a Variation details of the following:
(i) the Personal Data which will be Processed and/or transferred outside the European Economic Area;
(ii) the country or countries in which the Personal Data will be Processed and/or to which the Personal Data will be transferred outside the European Economic Area;
(iii) any Sub-contractors or other third parties who will be Processing and/or transferring Personal Data outside the European Economic Area; and
(iv) how the Supplier will ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Customer’s compliance with the Data Protection Legislation) in respect of the Personal Data that will be Processed and/or transferred outside the European Economic Area;
(c) in providing and evaluating the request for Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Government and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the European Economic Area and/or overseas generally but, for the avoidance of doubt, the Customer may, in its absolute discretion, refuse to grant Approval of such Process and/or transfer any Personal Data outside the European Economic Area; and
(d) the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including:
(i) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) in this Contract or a separate data processing agreement between the parties; and
(ii) procuring that any Sub-contractor or other third party who will be Processing and/or transferring the Personal Data outside the European Economic Area enters into a direct data processing agreement with the Customer on such terms as may be required by the Customer, which the Supplier acknowledges may include the incorporation of standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation).]
22.5.3 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Contract in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation.
22.5.4 The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).
22.5.5 The Supplier shall, at all times during and after the Contract Period, indemnify the Customer and keep the Customer indemnified against all losses, damages, costs or expenses and other liabilities (including legal fees) incurred by, awarded against or agreed to be paid by the Customer arising from any breach of the Supplier's obligations under this clause 22except and to the extent that such liabilities have resulted directly from the Customer's instructions
Appears in 3 contracts
Samples: Order Form and Call Off Terms, Order Form and Call Off Terms, Order Form and Call Off Terms
Protection of Personal Data. 7.1 With 38.1 In respect of any Personal Data processed by the Contractor pursuant to this Contract for and on behalf of the Authority or any other Third Party (as appropriate) (the “Authority Personal Data”), the Contractor warrants and undertakes that it will and will procure that each of the Contractor Personnel will:
38.1.1 comply at all times with the Data Protection Legislation;
38.1.2 only process the Authority Personal Data:
38.1.2.1 to the parties' rights extent necessary to provide the Services and obligations under this Contract, the parties agree that DFID is the Data Controller and that the Supplier is the Data Processor.
7.2 The Supplier shall:
7.2.1 process the Personal Data then only in accordance with this Contract; and
38.1.2.2 on instructions received from the Authority from time to time;
38.1.3 promptly comply with any change of instructions from DFID (the Authority relating to the Authority Personal Data and/or the Contractor’s role as Data Processor;
38.1.4 not by any act or omission place the Authority or any TfL Group member or any Third Party in breach of the Data Protection Legislation;
38.1.5 put in place:
38.1.5.1 appropriate technical and organisational security measures that prevent or are designed to prevent the accidental or unlawful destruction or accidental loss, damage, alteration, unauthorised disclosure or access to the Authority Personal Data and which may comply with Good Industry Practice from time to time; and
38.1 5.2 a level of security measures which ensures that only authorised personnel have access to the Authority Personal Data and processing equipment to be specific instructions or instructions of a general nature used to Process such Authority Personal Data and that any such persons whom the Contractor authorises to have access to such Authority Personal Data will comply with like obligations as set out are contained in this Contract or as otherwise notified Clause 38.1.5 and will respect and maintain all due confidentiality; and
38.1.6 ensure that Authority Personal Data is only accessed by DFID authorised Contractor Personnel;
38.1.7 ensure the reliability of the Contractor Personnel having access to Authority Personal Data and will ensure that such Contractor Personnel are fully aware of the measures to be taken when Processing Authority Personal Data;
38.1.8 promptly give written notice to the Supplier during Authority of any actual or suspected incident of unauthorised or accidental disclosure of or access to the TermAuthority Personal Data or other breach of Clause 38 made by any of the Contractor Personnel or any other identified or unidentified third party (a “Security Breach”);
7.2.2 process 38.1.9 promptly provide the Authority with all information in the Contractor’s or the Contractor Personnel’s possession concerning any Security Breach and not make any announcement or publish or otherwise authorise any broadcast or any notice or information about a Security Breach;
38.1.10 ensure that the Authority Personal Data only is kept separate from Contractor Personal Data and from Personal Data belonging to other customers of the extent, Contractor and that the Authority Personal Data is readily identifiable;
38.1.11 not make any copies of the Authority Personal Data (whether in such manner, as is electronic or paper form) unless strictly necessary for the provision Services;
38.1.12 not modify, amend or alter the contents of the Authority Personal Data or disclose or permit the disclosure of any of the Authority Personal Data to any Third Party unless expressly required to do so as part of the Services or as is required by Law or any Regulatory Body;
7.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
7.2.4 take reasonable steps to ensure the reliability of any Supplier’s Personnel who have access to the Personal Data;
7.2.5 obtain prior written consent from DFID in order to transfer the Personal Data to any Sub- contractors or Affiliates for the provision of the Services;
7.2.6 ensure that all Supplier’s Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 7;
7.2.7 ensure that none of Supplier’s Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed specifically authorised in writing to do so by DFIDthe Authority;
7.2.8 notify DFID (within two Working Days) if it receives:
7.2.8.1 a request from a Data Subject 38.1.13 provide the Authority with such co-operation, assistance and information as is required by the Authority to have access to that person's Personal Data; or
7.2.8.2 a complaint or request relating to DFID’s comply with its obligations under the Data Protection Legislation;
7.2.9 provide DFID 38.1.14 without prejudice to Clause 38.1.12, comply with full cooperation and assistance in relation to any complaint or request made, including by:
7.2.9.1 providing DFID with full details of all instructions from the complaint or request;
7.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with DFID’s instructions;
7.2.9.3 providing DFID with any Personal Data it holds Authority in relation to a subject access request for the disclosure of Authority Personal Data Subject (within and provide the timescales Authority with all assistance required by DFID)in respect thereof;
38.1.15 at any time at the Authority’s request, submit to the Authority all required materials and/or technical documentation to demonstrate its compliance with this Clause 38; and
7.2.9.4 providing DFID 38.1.16 not cause or permit the Authority Personal Data to be transferred outside of the European Economic Area, without the Authority’s prior written consent.
38.2 When the Contractor receives a written request from the Authority for information about, or a copy of, Authority Personal Data, the Contractor will supply such information or data to the Authority within such time and in such form as specified in the request or if no period of time is specified in the request, then within 10 (ten) Working Days from the date of the request.
38.3 The Authority remains solely responsible for determining the purposes and manner in which Authority Personal Data is to be Processed. The Contractor will not share any Authority Personal Data with any information requested by DFID;Sub-Contractor unless there is a written contract in place which requires the Sub-Contractor to:
7.2.10 permit DFID or its representatives (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, 38.3.1 only process Authority Personal Data in accordance with clause 16 (Access and Audit), Supplierthe Authority’s data processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and instructions to the Contractor; and
38.3.2 comply with all reasonable requests or directions by DFID to enable DFID to verify and/or procure the same data protection requirements that the Supplier Contractor is in full compliance required to comply with its obligations under this Contract;.
38.4 If the Contractor receives any complaint about the Processing of the Authority Personal Data from Third Parties then it will promptly notify the Authority of the same and provide the Authority with all assistance required in respect thereof.
Appears in 3 contracts
Samples: Supply, Installation and Maintenance Contract, Supply, Installation and Maintenance Contract, Supply, Installation and Maintenance Contract
Protection of Personal Data. 7.1 With respect to the parties' rights and obligations under this Contract, the parties agree that DFID is the Data Controller and that the Supplier is the Data Processor.
7.2 The Supplier shall:
7.2.1 process the Personal Data only in accordance with instructions from DFID (which may be specific instructions or instructions of a general nature as set out in this Contract or as otherwise notified by DFID to the Supplier during the Term);
7.2.2 process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services or as is required by Law or any Regulatory Body;
7.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
7.2.4 take reasonable steps to ensure the reliability of any Supplier’s Personnel who have access to the Personal Data;
7.2.5 obtain prior written consent from DFID in order to transfer the Personal Data to any Sub- contractors or Affiliates for the provision of the Services;
7.2.6 ensure that all Supplier’s Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 7;
7.2.7 ensure that none of Supplier’s Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by DFID;
7.2.8 notify DFID (within two Working Days) if it receives:
7.2.8.1 a request from a Data Subject to have access to that person's Personal Data; or
7.2.8.2 a complaint or request relating to DFID’s obligations under the Data Protection Legislation;
7.2.9 provide DFID with full cooperation and assistance in relation to any complaint or request made, including by:
7.2.9.1 providing DFID with full details of the complaint or request;
7.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with DFID’s instructions;
7.2.9.3 providing DFID with any Personal Data it holds in relation to a Data Subject (within the timescales required by DFID); and
7.2.9.4 providing DFID with any information requested by DFID;
7.2.10 permit DFID or its representatives (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 16 (Access and Audit), SupplierDFID’s data processing Processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by DFID to enable DFID to verify and/or procure that the Supplier is in full compliance with its obligations under this Contract;
Appears in 2 contracts
Samples: Supplier Services Agreement, Supplier Services Contract
Protection of Personal Data. 7.1 19.1 With respect to the parties' Parties’ rights and obligations under this ContractAgreement, the parties Parties agree that DFID the Customer is the Data Controller and that the Supplier is the Data Processor.
7.2 19.2 The Supplier shall:
7.2.1 process 19.2.1 Process the Personal Data only in accordance with instructions from DFID the Customer (which may be specific instructions or instructions of a general nature as set out in this Contract Agreement or as otherwise notified by DFID the Customer to the Supplier during the Term);
7.2.2 process 19.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services Supply or as is required by Applicable Law or any Regulatory Body;
7.2.3 19.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processingProcessing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
7.2.4 19.2.4 take reasonable steps to ensure the reliability of any Supplier’s Personnel of the Supplier Staff who have access to the Personal Data;
7.2.5 obtain prior written consent from DFID in order to 19.2.5 not transfer the Personal Data to any Sub- sub-contractors or Affiliates for without first obtaining prior written consent from the provision of the ServicesCustomer;
7.2.6 19.2.6 ensure that all Supplier’s Personnel Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 7Clause 19;
7.2.7 19.2.7 ensure that none of Supplier’s Personnel the Supplier Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by DFIDthe Customer;
7.2.8 19.2.8 notify DFID the Customer (within two five (5) Working Days) if it receives:
7.2.8.1 (a) a request from a Data Subject to have access to that person's ’s Personal DataData (a “Data Access Request”); or
7.2.8.2 (b) a complaint or request relating to DFIDthe Customer’s obligations under the Data Protection LegislationRequirements;
7.2.9 19.2.9 provide DFID the Customer with full cooperation and assistance in relation to any complaint or request made, including by:
7.2.9.1 (a) providing DFID the Customer with full details of the complaint or request;
7.2.9.2 (b) complying with a data access request Data Access Request within the relevant timescales set out in the Data Protection Legislation Requirements and in accordance with DFIDthe Customer’s instructions;
7.2.9.3 (c) providing DFID the Customer with any Personal Data it holds in relation to a Data Subject (within the timescales required by DFIDthe Customer); and
7.2.9.4 (d) providing DFID the Customer with any information requested by DFIDthe Customer;
7.2.10 permit DFID or its representatives (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 16 (Access and Audit), Supplier’s data processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by DFID to enable DFID to verify and/or procure that the Supplier is in full compliance with its obligations under this Contract;
Appears in 2 contracts
Samples: Agreement for the Provision of Natural Gas Supply, Framework Agreement for the Supply of Electricity and Ancillary Services
Protection of Personal Data. 7.1 With respect to the parties' rights and obligations under this Contract, the parties agree that DFID is the Data Controller and that the Supplier is the Data Processor.
7.2 The Supplier shall:
7.2.1 process the Personal Data only in accordance with instructions from DFID (which may be specific instructions or instructions of a general nature as set out in this Contract or as otherwise notified by DFID to the Supplier during the Term);
7.2.2 process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services or as is required by Law or any Regulatory Body;
7.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
7.2.4 take reasonable steps to ensure the reliability of any Supplier’s Personnel who have access to the Personal Data;
7.2.5 obtain prior written consent from DFID in order to transfer the Personal Data to any Sub- Sub‐ contractors or Affiliates for the provision of the Services;
7.2.6 ensure that all Supplier’s Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 7;
7.2.7 ensure that none of Supplier’s Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by DFID;
7.2.8 notify DFID (within two Working Days) if it receives:
7.2.8.1 a request from a Data Subject to have access to that person's Personal Data; or
7.2.8.2 a complaint or request relating to DFID’s obligations under the Data Protection Legislation;
7.2.9 provide DFID with full cooperation and assistance in relation to any complaint or request made, including by:
7.2.9.1 providing DFID with full details of the complaint or request;
7.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with DFID’s instructions;
7.2.9.3 providing DFID with any Personal Data it holds in relation to a Data Subject (within the timescales required by DFID); and
7.2.9.4 providing DFID with any information requested by DFID;
7.2.10 permit DFID or its representatives (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 16 (Access and Audit), Supplier’s data processing activities (and/or those of its agents, subsidiaries and Sub-contractorsSub‐contractors) and comply with all reasonable requests or directions by DFID to enable DFID to verify and/or procure that the Supplier is in full compliance with its obligations under this Contract;
Appears in 1 contract
Samples: Contract for Supplier Services
Protection of Personal Data. 7.1 With respect to Where any Personal Data are processed in connection with the parties' exercise of the Parties’ rights and obligations under this ContractAgreement, the parties agree Parties acknowledge that DFID CCS is the Data Controller and that the Supplier is the Data Processor.
7.2 . The Supplier shall:
7.2.1 process : Process the Personal Data only in accordance with instructions from DFID (which may be specific instructions CCS to perform its obligations under this Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or instructions unlawful Processing of a general nature as set out in this Contract or as otherwise notified by DFID to the Supplier during the Term);
7.2.2 process the Personal Data only and/or accidental loss, destruction, or damage to the extent, and in such manner, as is Personal Data; not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Services and, for any disclosure or as is required by Law or any Regulatory Body;
7.2.3 implement appropriate technical and organisational measures to protect the transfer of Personal Data against unauthorised to any third party, obtain the prior written consent of CCS (save where such disclosure or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which transfer is to be protected;
7.2.4 specifically authorised under this Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier’s Supplier Personnel who have access to the Personal Data;
7.2.5 obtain prior written consent from DFID in order to transfer the Personal Data to any Sub- contractors or Affiliates for the provision of the Services;
7.2.6 and ensure that all the Supplier Personnel: are aware of and comply with the Supplier’s Personnel required to access the Personal Data duties under this Clause 40.4.2 and Clause 40.1 (Confidentiality); are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 7;
7.2.7 ensure that none of Supplier’s Personnel do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by DFID;
7.2.8 CCS or as otherwise permitted by this Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify DFID CCS within five (within two 5) Working Days) Days if it receives:
7.2.8.1 a request : from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to have access rectify, block or erase any Personal Data or any other request, complaint or communication relating to that personCCS's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or
7.2.8.2 or a complaint request from any third party for disclosure of Personal Data where compliance with such request is required or request relating purported to DFID’s obligations under the Data Protection Legislation;
7.2.9 be required by Law; provide DFID CCS with full cooperation and assistance (within the timescales reasonably required by CCS) in relation to any complaint complaint, communication or request mademade (as referred to in Clause 40.4.2 – 40.4.7, including by:
7.2.9.1 providing DFID by promptly providing: CCS with full details and copies of the complaint complaint, communication or request;
7.2.9.2 complying ; where applicable, such assistance as is reasonably requested by CCS to enable CCS to comply with a data access request the Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation DPA; and in accordance with DFID’s instructions;
7.2.9.3 providing DFID CCS, on request by CCS, with any Personal Data it holds in relation to a Data Subject (within the timescales required by DFID)Subject; and
7.2.9.4 providing DFID with any information and if requested by DFID;
7.2.10 permit DFID CCS, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 40.4.2 and provide to CCS copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or its representatives otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (subject together “Restricted Countries”). If, after the Agreement Commencement Date, the Supplier or any Sub-Contractor wishes to reasonable and appropriate confidentiality undertakings)Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to inspect and auditCCS which, if it is agreed by CCS, shall be dealt with in accordance with clause 16 Clause 26 (Access Variation to this Agreement); the Supplier shall set out in its proposal to CCS for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and Audit), Supplier’s data processing activities (and/or those of its agents, subsidiaries and any Sub-contractors) Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure CCS’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with all CCS, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as CCS may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with CCS on such terms as may be required by CCS; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between CCS and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which CCS deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable requests endeavours to assist CCS to comply with any obligations under the DPA and shall not perform its obligations under this Agreement in such a way as to cause CCS to breach any of CCS’s obligations under the DPA to the extent the Supplier is aware, or directions ought reasonably to have been aware, that the same would be a breach of such obligations. Official secrets acts The Supplier shall (where applicable) comply with and shall ensure that the Supplier Staff comply with, the provisions to the Official Secrets Xxx 0000 to 1989 and Section 182 of the Finance Xxx 0000. In the event that the Supplier or the Supplier Staff fails to comply with this Clause, CCS reserves the right to terminate this Agreement with immediate effect by DFID giving notice in writing to enable DFID the Supplier; and the Buyer reserves the right to verify and/or procure terminate its Call-Off Contract with immediate effect by giving notice in writing to the Supplier. Promoting tax compliance If, at any point during the Term, an Occasion of Tax Non-Compliance occurs, the Supplier shall: Notify CCS in writing of such fact within five (5) Working Days of its occurrence; and promptly provide to CCS: details of the steps that the Supplier is taking to address the Occasion of Tax Non-Compliance, together with any mitigating factors that it considers relevant; and such other information in full compliance relation to the Occasion of Tax Non-Compliance as CCS may reasonable require. In the event that the Supplier fails to comply with its obligations under this Contract;Clause 42 and/or does not provide details of proposed mitigating factors which in the reasonable opinion of CCS are acceptable, then CCS reserves the right to terminate this Agreement for Material Breach. Standards and security
Appears in 1 contract
Samples: Framework Agreement
Protection of Personal Data. 7.1 14.1 With respect to the parties' rights and obligations under this ContractAgreement, the parties agree that DFID the Authority is the Data Controller and that the Supplier Contractor is the Data Processor.
7.2 14.2 The Supplier Contractor shall:
7.2.1 process 14.2.1 Process the Personal Data only in accordance with instructions from DFID the Authority (which may be specific instructions or instructions of a general nature as set out in this Contract Agreement or as otherwise notified by DFID the Authority to the Supplier Contractor during the Term);
7.2.2 process 14.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services or as is required by Law or any Regulatory Body;
7.2.3 14.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processingProcessing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
7.2.4 14.2.4 take reasonable steps to ensure the reliability of any Supplier’s Contractor Personnel who have access to the Personal Data;
7.2.5 14.2.5 obtain prior written consent from DFID the Authority in order to transfer the Personal Data to any Sub- Sub-contractors or Affiliates for the provision of the Services;
7.2.6 14.2.6 ensure that all Supplier’s Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 714;
7.2.7 14.2.7 ensure that none of Supplier’s Contractor Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by DFIDthe Authority;
7.2.8 14.2.8 notify DFID the Authority (within two five Working Days) if it receives:
7.2.8.1 14.2.8.1 a request from a Data Subject to have access to that person's Personal Data; or
7.2.8.2 14.2.8.2 a complaint or request relating to DFID’s the Authority's obligations under the Data Protection Legislation;
7.2.9 14.2.9 provide DFID the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
7.2.9.1 14.2.9.1 providing DFID the Authority with full details of the complaint or request;
7.2.9.2 14.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with DFID’s the Authority's instructions;
7.2.9.3 14.2.9.3 providing DFID the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by DFIDthe Authority); and
7.2.9.4 14.2.9.4 providing DFID the Authority with any information requested by DFIDthe Authority;
7.2.10 permit DFID 14.2.10 provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and
14.2.11 not Process or its representatives otherwise transfer any Personal Data outside the European Economic Area. If, after the Effective Date, the Contractor (subject or any Sub- contractor) wishes to reasonable and appropriate confidentiality undertakings)Process and/or transfer any Personal Data outside the European Economic Area, the following provisions shall apply:
14.2.11.1 the Contractor shall submit a Change Request to inspect and audit, the Authority which shall be dealt with in accordance with clause 16 the Change Control Procedure and clauses 14.2.11.2 to 14..2.11.4 below;
14.2.11.2 the Contractor shall set out in its Change Request and/or Impact Assessment details of the following:
(Access and Audit), Supplier’s data processing activities a) the Personal Data which will be Processed and/or transferred outside the European Economic Area;
(b) the country or countries in which the Personal Data will be Processed and/or those of its agents, subsidiaries and to which the Personal Data will be transferred outside the European Economic Area;
(c) I any Sub-contractorscontractors or other third parties who will be Processing and/or transferring Personal Data outside the European Economic Area; and
(d) how the Contractor will ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Authority’s compliance with the Data Protection Legislation) in respect of the Personal Data that will be Processed and/or transferred outside the European Economic Area;
14.2.11.3 in providing and evaluating the Change Request and Impact Assessment, the parties shall ensure that they have regard to and comply with then-current Authority, Government and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the European Economic Area and/or overseas generally; and
14.2.11.4 the Contractor shall comply with such other instructions and shall carry out such other actions as the Authority may notify in writing, including:
(a) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) in this Agreement or a separate data processing agreement between the parties; and
(b) procuring that any Sub-contractor or other third party who will be Processing and/or transferring the Personal Data outside the European Economic Area enters into a direct data processing agreement with the Authority on such terms as may be required by the Authority, which the Contractor acknowledges may include the incorporation of standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation).
14.3 The Contractor shall comply at all reasonable requests or directions by DFID to enable DFID to verify and/or procure that times with the Supplier is in full compliance with Data Protection Legislation and shall not perform its obligations under this Contract;Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Samples: Ict Support Services Agreement
Protection of Personal Data. 7.1 22.5.1 With respect to the partiesParties' rights and obligations under this ContractLease Agreement, the parties Parties agree that DFID the Customer is the Data Controller and that the Supplier is the Data Processor.
7.2 The Supplier shall:
7.2.1 process 22.5.2.1 Process the Personal Data only in accordance with instructions from DFID the Customer (which may be specific instructions or instructions of a general nature as set out in this Contract Lease Agreement or as otherwise notified by DFID the Customer to the Supplier during the TermLease Agreement Period);
7.2.2 process 22.5.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services and Goods or as is required by Law or any Regulatory Body;
7.2.3 22.5.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processingProcessing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
7.2.4 22.5.2.4 take reasonable steps to ensure the reliability of any Supplier’s Personnel Staff who have access to the Personal Data;
7.2.5 22.5.2.5 obtain prior written consent from DFID Approval in order to transfer the Personal Data to any Sub- Sub-contractors or Affiliates for the provision of the ServicesServices and Goods;
7.2.6 22.5.2.6 ensure that all Supplier’s Personnel Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 722.5;
7.2.7 22.5.2.7 ensure that none of Supplier’s Personnel the Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by DFIDthe Customer;
7.2.8 22.5.2.8 notify DFID the Customer (within two five (5) Working Days) if it receives:
7.2.8.1 (a) a request from a Data Subject to have access to that person's Personal Data; or
7.2.8.2 (b) a complaint or request relating to DFID’s the Customer's obligations under the Data Protection Legislation;
7.2.9 22.5.2.9 provide DFID the Customer with full cooperation and assistance in relation to any complaint or request made, including by:
7.2.9.1 (a) providing DFID the Customer with full details of the complaint or request;
7.2.9.2 (b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with DFID’s the Customer's instructions;
7.2.9.3 (c) providing DFID the Customer with any Personal Data it holds in relation to a Data Subject (within the timescales required by DFIDthe Customer); and
7.2.9.4 (d) providing DFID the Customer with any information requested by DFID;
7.2.10 the Customer; 22.5.2.10 permit DFID the Customer or its representatives the Customer Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 16 (Access and Audit), the Supplier’s 's data processing Processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by DFID the Customer to enable DFID the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this ContractLease Agreement;
Appears in 1 contract
Samples: Lease Agreement
Protection of Personal Data. 7.1 With respect to the parties' rights and obligations under this Contract, the parties agree that DFID is the Data Controller and that the Supplier is the Data Processor.
7.2 The Supplier shall:
7.2.1 process the Personal Data only in accordance with instructions from DFID (which may be specific instructions or instructions of a general nature as set out in this Contract or as otherwise notified by DFID to the Supplier during the Term);
7.2.2 process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services or as is required by Law or any Regulatory Body;
7.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
7.2.4 take reasonable steps to ensure the reliability of any Supplier’s Personnel who have access to the Personal Data;
7.2.5 obtain prior written consent from DFID in order to transfer the Personal Data to any Sub- Sub-contractors or Affiliates for the provision of the Services;
7.2.6 ensure that all Supplier’s Suppliers’ Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 7;
7.2.7 ensure that none of Supplier’s Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by DFID;
7.2.8 notify DFID (within two Working Days) if it receives:
7.2.8.1 a request from a Data Subject to have access to that person's Personal Data; or
7.2.8.2 a complaint or request relating to DFID’s obligations under the Data Protection Legislation;
7.2.9 provide DFID with full cooperation and assistance in relation to any complaint or request made, including by:
7.2.9.1 providing DFID with full details of the complaint or request;
7.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with DFID’s instructions;
7.2.9.3 providing DFID with any Personal Data it holds in relation to a Data Subject (within the timescales required by DFID); and
7.2.9.4 providing DFID with any information requested by DFID;
7.2.10 permit DFID or its representatives (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 16 (Access and Audit), Supplier’s data processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by DFID to enable DFID to verify and/or procure that the Supplier is in full compliance with its obligations under this Contract;
Appears in 1 contract
Protection of Personal Data. 7.1 With respect to the parties' rights and obligations under this Contract, the parties agree that DFID is the Data Controller and that the Supplier is the Data Processor.
7.2 The Supplier shall:
7.2.1 process the Personal Data only in accordance with instructions from DFID (which may be specific instructions or instructions of a general nature as set out in this Contract or as otherwise notified by DFID to the Supplier during the Term);
7.2.2 process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services or as is required by Law or any Regulatory Body;
7.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
7.2.4 take reasonable steps to ensure the reliability of any of the Supplier’s Personnel who have access to the Personal Data;
7.2.5 obtain prior written consent from DFID in order to transfer the Personal Data to any Sub- contractors or Affiliates for the provision of the Services;
7.2.6 ensure that all the Supplier’s Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 7;
7.2.7 ensure that none of the Supplier’s Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by DFID;
7.2.8 notify DFID (within two Working Days) if it receives:
7.2.8.1 a request from a Data Subject to have access to that person's Personal Data; or
7.2.8.2 a complaint or request relating to DFID’s obligations under the Data Protection Legislation;
7.2.9 provide DFID with full cooperation and assistance in relation to any complaint or request made, including by:
7.2.9.1 providing DFID with full details of the complaint or request;
7.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with DFID’s instructions;
7.2.9.3 providing DFID with any Personal Data it holds in relation to a Data Subject (within the timescales required by DFID); and
7.2.9.4 providing DFID with any information requested by DFID;
7.2.10 permit DFID or its representatives (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 16 (Access and Audit), Supplier’s data processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by DFID to enable DFID to verify and/or procure that the Supplier is in full compliance with its obligations under this Contract;
Appears in 1 contract
Samples: Supplier Services Agreement
Protection of Personal Data. 7.1 23.5.1 With respect to the partiesParties' rights and obligations under this Contract, the parties Parties agree that DFID the Customer is the Data Controller and that the Supplier is the Data Processor.
7.2 23.5.2 The Supplier shall:
7.2.1 process 23.5.2.1 Process the Personal Data only in accordance with instructions from DFID the Customer (which may be specific instructions or instructions of a general nature as set out in this Contract or as otherwise notified by DFID the Customer to the Supplier during the TermContract Period);
7.2.2 process 23.5.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services and Goods or as is required by Law or any Regulatory Body;
7.2.3 23.5.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processingProcessing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
7.2.4 23.5.2.4 take reasonable steps to ensure the reliability of any Supplier’s Personnel Staff who have access to the Personal Data;
7.2.5 23.5.2.5 obtain prior written consent from DFID Approval in order to transfer the Personal Data to any Sub- Sub-contractors or Affiliates for the provision of the ServicesServices and Goods;
7.2.6 23.5.2.6 ensure that all Supplier’s Personnel Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 723.5;
7.2.7 23.5.2.7 ensure that none of Supplier’s Personnel the Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by DFIDthe Customer;
7.2.8 23.5.2.8 notify DFID the Customer (within two five (5) Working Days) if it receives:
7.2.8.1 (a) a request from a Data Subject to have access to that person's Personal Data; or
7.2.8.2 (b) a complaint or request relating to DFID’s the Customer's obligations under the Data Protection Legislation;
7.2.9 23.5.2.9 provide DFID the Customer with full cooperation and assistance in relation to any complaint or request made, including by:
7.2.9.1 (a) providing DFID the Customer with full details of the complaint or request;
7.2.9.2 (b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with DFID’s the Customer's instructions;
7.2.9.3 (c) providing DFID the Customer with any Personal Data it holds in relation to a Data Subject (within the timescales required by DFIDthe Customer); and
7.2.9.4 (d) providing DFID the Customer with any information requested by DFIDthe Customer;
7.2.10 23.5.2.10 permit DFID the Customer or its representatives the Customer Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 16 (Access and Audit), the Supplier’s 's data processing Processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by DFID the Customer to enable DFID the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Contract;
23.5.2.11 provide a written description of the technical and organisational methods employed by the Supplier for processing Personal Data (within the timescales required by the Customer); and
23.5.2.12 not Process or otherwise transfer any Personal Data outside the European Economic Area. If, after the Commencement Date, the Supplier (or any Sub- contractor) wishes to Process and/or transfer any Personal Data outside the European Economic Area, the following provisions shall apply:
(a) the Supplier shall submit a request for Variation to the Customer which shall be dealt with in accordance with the Variation Procedure and paragraph (b) to (d) below;
(b) the Supplier shall set out in its request for a Variation details of the following:
(i) the Personal Data which will be Processed and/or transferred outside the European Economic Area;
(ii) the country or countries in which the Personal Data will be Processed and/or to which the Personal Data will be transferred outside the European Economic Area;
(iii) any Sub-contractors or other third parties who will be Processing and/or transferring Personal Data outside the European Economic Area; and
(iv) how the Supplier will ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Customer’s compliance with the Data Protection Legislation) in respect of the Personal Data that will be Processed and/or transferred outside the European Economic Area;
(c) in providing and evaluating the request for Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Government and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the European Economic Area and/or overseas generally but, for the avoidance of doubt, the Customer may, in its absolute discretion, refuse to grant Approval of such Process and/or transfer any Personal Data outside the European Economic Area; and
(d) the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including:
(i) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) in this Contract or a separate data processing agreement between the parties; and
(ii) procuring that any Sub-contractor or other third party who will be Processing and/or transferring the Personal Data outside the European Economic Area enters into a direct data processing agreement with the Customer on such terms as may be required by the Customer, which the Supplier acknowledges may include the incorporation of standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation).
23.5.3 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Contract in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation.
23.5.4 The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).
23.5.5 The Supplier shall, at all times during and after the Contract Period, indemnify the Customer and keep the Customer indemnified against all losses, damages, costs or expenses and other liabilities (including legal fees) incurred by, awarded against or agreed to be paid by the Customer arising from any breach of the Supplier's obligations under this clause 23 except and to the extent that such liabilities have resulted directly from the Customer's instructions.
Appears in 1 contract
Samples: Call Off Agreement
Protection of Personal Data. 7.1 17.1 With respect to the partiesParties' rights and obligations under this the Contract, the parties Parties agree that DFID the Authority is the Data Controller and that the Supplier Fund is the Data Processor.
7.2 17.2 The Supplier Fund and any person acting on behalf of the Fund shall:
7.2.1 17.2.1 process the Personal Data only in accordance with instructions from DFID the Authority (which may be specific instructions or instructions of a general nature as set out in this the Contract or as otherwise notified by DFID the Authority to the Supplier Fund during the Term)Contract Period) and the Fund and the Agent shall at the very least comply with the provisions of Schedule 3(Information Security) and HM Government Security Framework as updated from time to time;
7.2.2 17.2.2 process the Personal Data only to the extent, and in such manner, as is necessary for the provision performance by the Fund or any person acting on behalf of the Services Fund of their obligations under the Contract or as is required by Law or in accordance with the request of any Regulatory Body;
7.2.3 17.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processingProcessing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protectedprotected and in any event the measures shall not be of a lesser standard than those set out in Schedule 3(Information Security);
7.2.4 17.2.4 take reasonable steps to ensure the reliability of any Supplier’s Contractor Personnel who have access to the Personal Data;
7.2.5 17.2.5 obtain prior written consent from DFID in the Authority prior to making available any order to transfer the Personal Data to any Sub- contractors or Affiliates for the provision Subcontractor of the ServicesFund or the Agent who require such Personal Data to enable the Fund to discharge its obligations under the Contract;
7.2.6 17.2.6 ensure that all Supplier’s Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and ensure they comply with the obligations set out in this clause 7Clause 17 (Protection of Personal Data);
7.2.7 17.2.7 ensure that none of Supplier’s the Contractor Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by DFIDthe Authority;
7.2.8 17.2.8 notify DFID the Authority (within two five (5) Working Days) if it receives:
7.2.8.1 (a) a request from a Data Subject to have access to that person's Personal Data; or
7.2.8.2 (b) a complaint or request relating to DFID’s the Authority's obligations under the Data Protection Legislation;
7.2.9 17.2.9 provide DFID the Authority with full cooperation co-operation and assistance in relation to any complaint or request mademade to the Authority, including by:
7.2.9.1 (a) providing DFID the Authority with full details of the complaint or request;
7.2.9.2 (b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with DFID’s the Authority's instructions;
7.2.9.3 (c) providing DFID the Authority with any Personal Data it holds in relation to a Data Subject (Subject, within the timescales required by DFID)the Authority; and
7.2.9.4 (d) providing DFID the Authority with any information requested by DFIDthe Authority;
7.2.10 17.2.10 permit DFID or its representatives (subject to reasonable and appropriate confidentiality undertakings), the Authority to inspect and audit, in accordance with clause 16 Clause 23 (Access and Audit), Supplier’s the Fund's and the Agent's data processing Processing activities (and/or those of its agents, subsidiaries and Sub-contractorsthe Contractor Personnel) and comply with all reasonable requests or directions by DFID the Authority to enable DFID the Authority to verify and/or procure that the Supplier Fund and the Agent is in full compliance with its obligations under this the Contract;
17.2.11 provide a written description of the technical and organisational methods used by the Fund and the Agent for Processing Personal Data (within the timescales required by the Authority); and
17.2.12 not Process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to any such Processing, to comply with:
(a) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is Processed; and
(b) any reasonable instructions notified to it by the Authority from time to time.
17.3 The Fund and the Agent shall comply at all times with the Data Protection Legislation and shall not perform their respective obligations under the Contract in such a way as to cause the Authority to breach any of its obligations under the Data Protection Legislation.
Appears in 1 contract
Samples: Contract
Protection of Personal Data. 7.1 With respect to Where any Personal Data are processed in connection with the parties' exercise of the Parties’ rights and obligations under this ContractAgreement, the parties agree Parties acknowledge that DFID CCS is the Data Controller and that the Supplier is the Data Processor.
7.2 . The Supplier shall:
7.2.1 process : Process the Personal Data only in accordance with instructions from DFID (which may be specific instructions CCS to perform its obligations under this Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or instructions unlawful Processing of a general nature as set out in this Contract or as otherwise notified by DFID to the Supplier during the Term);
7.2.2 process the Personal Data only and/or accidental loss, destruction, or damage to the extent, and in such manner, as is Personal Data; not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Services and, for any disclosure or as is required by Law or any Regulatory Body;
7.2.3 implement appropriate technical and organisational measures to protect the transfer of Personal Data against unauthorised to any third party, obtain the prior written consent of CCS (save where such disclosure or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which transfer is to be protected;
7.2.4 specifically authorised under this Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier’s Supplier Personnel who have access to the Personal Data;
7.2.5 obtain prior written consent from DFID in order to transfer the Personal Data to any Sub- contractors or Affiliates for the provision of the Services;
7.2.6 and ensure that all the Supplier Personnel: are aware of and comply with the Supplier’s Personnel required to access the Personal Data duties under this Clause 40.4.2 and Clause 40.1 (Confidentiality); are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 7;
7.2.7 ensure that none of Supplier’s Personnel do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by DFID;
7.2.8 CCS or as otherwise permitted by this Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify DFID CCS within five (within two 5) Working Days) Days if it receives:
7.2.8.1 a request : from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to have access rectify, block or erase any Personal Data or any other request, complaint or communication relating to that personCCS's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or
7.2.8.2 or a complaint request from any third party for disclosure of Personal Data where compliance with such request is required or request relating purported to DFID’s obligations under the Data Protection Legislation;
7.2.9 be required by Law; provide DFID CCS with full cooperation and assistance (within the timescales reasonably required by CCS) in relation to any complaint complaint, communication or request mademade (as referred to in Clause 40.4.2 – 40.4.7, including by:
7.2.9.1 providing DFID by promptly providing: CCS with full details and copies of the complaint complaint, communication or request;
7.2.9.2 complying ; where applicable, such assistance as is reasonably requested by CCS to enable CCS to comply with a data access request the Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation DPA; and in accordance with DFID’s instructions;
7.2.9.3 providing DFID CCS, on request by CCS, with any Personal Data it holds in relation to a Data Subject (within the timescales required by DFID)Subject; and
7.2.9.4 providing DFID with any information and if requested by DFID;
7.2.10 permit DFID or its representatives (subject to reasonable and appropriate confidentiality undertakings)CCS, to inspect and audit, in accordance with clause 16 (Access and Audit), Supplier’s data processing activities (and/or those provide a written description of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by DFID to enable DFID to verify and/or procure the measures that the Supplier is has taken and technical and organisational security measures in full place, for the purpose of compliance with its obligations pursuant to this Clause 40.4.2 and provide to CCS copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Agreement Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to CCS which, if it is agreed by CCS, shall be dealt with in accordance with Clause 26 (Variation to this Agreement); the Supplier shall set out in its proposal to CCS for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure CCS’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with CCS, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as CCS may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Contract;Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into:
Appears in 1 contract
Samples: Framework Agreement
Protection of Personal Data. 7.1 23.5.1 With respect to the partiesParties' rights and obligations under this Contract, the parties Parties agree that DFID the Customer is the Data Controller and that the Supplier is the Data Processor.
7.2 23.5.2 The Supplier shall:
7.2.1 process 23.5.2.1 Process the Personal Data only in accordance with instructions from DFID the Customer (which may be specific instructions or instructions of a general nature as set out in this Contract or as otherwise notified by DFID the Customer to the Supplier during the TermContract Period);
7.2.2 process 23.5.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services and Goods or as is required by Law or any Regulatory Body;
7.2.3 23.5.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processingProcessing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
7.2.4 23.5.2.4 take reasonable steps to ensure the reliability of any Supplier’s Personnel Staff who have access to the Personal Data;
7.2.5 23.5.2.5 obtain prior written consent from DFID Approval in order to transfer the Personal Data to any Sub- Sub-contractors or Affiliates for the provision of the ServicesServices and Goods;
7.2.6 23.5.2.6 ensure that all Supplier’s Personnel Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 723.5;
7.2.7 23.5.2.7 ensure that none of Supplier’s Personnel the Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by DFIDthe Customer;
7.2.8 23.5.2.8 notify DFID the Customer (within two five (5) Working Days) if it receives:
7.2.8.1 (a) a request from a Data Subject to have access to that person's Personal Data; or
7.2.8.2 (b) a complaint or request relating to DFID’s the Customer's obligations under the Data Protection Legislation;
7.2.9 23.5.2.9 provide DFID the Customer with full cooperation and assistance in relation to any complaint or request made, including by:
7.2.9.1 (a) providing DFID the Customer with full details of the complaint or request;
7.2.9.2 (b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with DFID’s the Customer's instructions;
7.2.9.3 (c) providing DFID the Customer with any Personal Data it holds in relation to a Data Subject (within the timescales required by DFIDthe Customer); and
7.2.9.4 (d) providing DFID the Customer with any information requested by DFIDthe Customer;
7.2.10 23.5.2.10 permit DFID the Customer or its representatives the Customer Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 16 (Access and Audit), the Supplier’s 's data processing Processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by DFID the Customer to enable DFID the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Contract;
23.5.2.11 provide a written description of the technical and organisational methods employed by the Supplier for processing Personal Data (within the timescales required by the Customer); and
23.5.2.12 [not Process or otherwise transfer any Personal Data outside the European Economic Area. If, after the Commencement Date, the Supplier (or any Sub-contractor) wishes to Process and/or transfer any Personal Data outside the European Economic Area, the following provisions shall apply:
(a) the Supplier shall submit a request for Variation to the Customer which shall be dealt with in accordance with the Variation Procedure and paragraph (b) to (d) below;
(b) the Supplier shall set out in its request for a Variation details of the following:
(i) the Personal Data which will be Processed and/or transferred outside the European Economic Area;
(ii) the country or countries in which the Personal Data will be Processed and/or to which the Personal Data will be transferred outside the European Economic Area;
(iii) any Sub-contractors or other third parties who will be Processing and/or transferring Personal Data outside the European Economic Area; and
(iv) how the Supplier will ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Customer’s compliance with the Data Protection Legislation) in respect of the Personal Data that will be Processed and/or transferred outside the European Economic Area;
(c) in providing and evaluating the request for Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Government and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the European Economic Area and/or overseas generally but, for the avoidance of doubt, the Customer may, in its absolute discretion, refuse to grant Approval of such Process and/or transfer any Personal Data outside the European Economic Area; and
(d) the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including:
(i) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) in this Contract or a separate data processing agreement between the parties; and
(ii) procuring that any Sub-contractor or other third party who will be Processing and/or transferring the Personal Data outside the European Economic Area enters into a direct data processing agreement with the Customer on such terms as may be required by the Customer, which the Supplier acknowledges may include the incorporation of standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation).]
23.5.3 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Contract in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation.
23.5.4 The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).
23.5.5 The Supplier shall, at all times during and after the Contract Period, indemnify the Customer and keep the Customer indemnified against all losses, damages, costs or expenses and other liabilities (including legal fees) incurred by, awarded against or agreed to be paid by the Customer arising from any breach of the Supplier's obligations under this clause 23 except and to the extent that such liabilities have resulted directly from the Customer's instructions.
Appears in 1 contract
Samples: Call Off Agreement
Protection of Personal Data. 7.1 31.1 With respect to the parties' rights and obligations under this ContractAgreement, the parties agree that DFID the Council is the Data Controller and that the Supplier Contractor is the Data Processor.
7.2 31.2 The Supplier Contractor shall:
7.2.1 process 31.2.1 Process the Personal Data only in accordance with instructions from DFID the Council (which may be specific instructions or instructions of a general nature as set out in this Contract Agreement or as otherwise notified by DFID the Council to the Supplier Contractor during the Term);
7.2.2 process 31.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services or as is required by Law or any Regulatory Body;
7.2.3 31.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processingProcessing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
7.2.4 31.2.4 take reasonable steps to ensure the reliability of any Supplier’s Contractor Personnel who have access to the Personal Data;
7.2.5 31.2.5 obtain prior written consent from DFID the Council in order to transfer the Personal Data to any Sub- Sub-contractors or Affiliates for the provision of the Services;
7.2.6 31.2.6 ensure that all Supplier’s Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 731;
7.2.7 31.2.7 ensure that none of Supplier’s Contractor Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by DFIDthe Authority;
7.2.8 31.2.8 notify DFID the Council (within two five Working Days) if it receives:
7.2.8.1 31.2.8.1 a request from a Data Subject to have access to that person's Personal Data; or
7.2.8.2 31.2.8.2 a complaint or request relating to DFID’s the Council's obligations under the Data Protection Legislation;
7.2.9 31.2.9 provide DFID the Council with full cooperation and assistance in relation to any complaint or request made, including by:
7.2.9.1 providing DFID with full details of the complaint or request;
7.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with DFID’s instructions;
7.2.9.3 providing DFID with any Personal Data it holds in relation to a Data Subject (within the timescales required by DFID); and
7.2.9.4 providing DFID with any information requested by DFID;
7.2.10 permit DFID or its representatives (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 16 (Access and Audit), Supplier’s data processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by DFID to enable DFID to verify and/or procure that the Supplier is in full compliance with its obligations under this Contract;
Appears in 1 contract
Samples: Ict Services Agreement
Protection of Personal Data. 7.1 With respect to the parties' rights 8.1. The Council and obligations under this Contract, the parties MHCLG agree that DFID is the Data Controller and that the Supplier is the Data Processor.
7.2 The Supplier MHCLG shall:
7.2.1 8.1.1. process the Personal Data only in accordance with instructions from DFID (which may be specific instructions or instructions of a general nature as set out in this Contract or as otherwise notified by DFID to the Supplier during the Term)Agreement;
7.2.2 8.1.2. process the Personal Data only to the extent, and in such manner, as is necessary for the provision Project;
8.1.3. comply with obligations of the Services or as is required by Law or any Regulatory Body;
7.2.3 DPA18 and the GDPR and in particular implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be ensure a level of security appropriate to the harm which might result from any unauthorised or unlawful processingProcessing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
7.2.4 8.1.4. take reasonable steps to ensure the reliability of any Supplier’s personnel who have access to the Personal Data. Local authorities and MHCLG will ensure such personnel will be a limited number of analysts/staff assigned to the data collection/project/evaluation. The Data will be stored in a secure environment with access controls in place;
8.1.5. obtain prior written consent to transfer the Personal Data to any sub- contractor or other third party. This does not include transfer of Personal Data to other Government Departments for the wider evaluation of outcomes, set out in the data flows in Annex A and the MHCLG Data Protection Impact Assessment (DPIA);
8.1.6. take reasonable steps to ensure the reliability of any Data Recipient Personnel who have access to the Personal Data;
7.2.5 obtain prior written consent from DFID in order to transfer the Personal Data to any Sub- contractors or Affiliates for the provision of the Services;
7.2.6 ensure . Ensure that all Supplier’s Personnel required to access process the Personal Data are informed of their obligations under this Agreement with regard to the confidential nature security and protection of the Personal Data and comply with the that those obligations set out in this clause 7are complied with;
7.2.7 8.1.7. ensure that none of Supplier’s no Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by DFID;MHCLG.
7.2.8 notify DFID (within two Working Days) if it receives:
7.2.8.1 a request from a Data Subject to have access to that person's Personal Data; or
7.2.8.2 a complaint or request relating to DFID’s obligations under the Data Protection Legislation;
7.2.9 provide DFID 8.2. The Council and MHCLG shall comply at all times with full cooperation and assistance in relation to any complaint or request made, including by:
7.2.9.1 providing DFID with full details of the complaint or request;
7.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with DFID’s instructions;
7.2.9.3 providing DFID with any Personal Data it holds in relation to a Data Subject (within the timescales required by DFID); and
7.2.9.4 providing DFID with any information requested by DFID;
7.2.10 permit DFID or its representatives (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 16 (Access and Audit), Supplier’s data processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by DFID to enable DFID to verify and/or procure shall ensure that the Supplier is they each perform their obligations under this agreement in full compliance with its obligations under the Data Protection Legislation and any other applicable law, in particular the Human Rights Xxx 0000 and the common law duty of confidentiality.
8.3. MHCLG agree that they will not process Data collected from the Council as part of this Contract;Project for any other purpose without prior written permission of the Council.
8.4. See Annex D: Security Operating Procedure for detail.
Appears in 1 contract
Samples: Data Sharing Agreement
Protection of Personal Data. 7.1 With respect to the parties' rights and obligations under this Contract, the parties agree that DFID is the Data Controller and that the Supplier is the Data Processor.
7.2 The Supplier shall:
7.2.1 process the Personal Data only in accordance with instructions from DFID (which may be specific instructions or instructions of a general nature as set out in this Contract or as otherwise notified by DFID to the Supplier during the Term);
7.2.2 process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services or as is required by Law or any Regulatory Body;
7.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
7.2.4 take reasonable steps to ensure the reliability of any Supplier’s Personnel who have access to the Personal Data;
7.2.5 obtain prior written consent from DFID in order to transfer the Personal Data to any Sub- Sub-contractors or Affiliates for the provision of the Services;
7.2.6 ensure that all Supplier’s Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 7;
7.2.7 ensure that none of Supplier’s Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by DFID;
7.2.8 notify DFID (within two Working Days) if it receives:
7.2.8.1 a request from a Data Subject to have access to that person's Personal Data; or
7.2.8.2 a complaint or request relating to DFID’s obligations under the Data Protection Legislation;
7.2.9 provide DFID with full cooperation and assistance in relation to any complaint or request made, including by:
7.2.9.1 providing DFID with full details of the complaint or request;
7.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with DFID’s instructions;
7.2.9.3 providing DFID with any Personal Data it holds in relation to a Data Subject (within the timescales required by DFID); and
7.2.9.4 providing DFID with any information requested by DFID;
7.2.10 permit DFID or its representatives (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 16 (Access and Audit), SupplierDFID’s data processing Processing activities (and/or those of its agents, subsidiaries and Sub-Sub- contractors) and comply with all reasonable requests or directions by DFID to enable DFID to verify and/or procure that the Supplier is in full compliance with its obligations under this Contract;
Appears in 1 contract
Samples: Supplier Services Agreement
Protection of Personal Data. 7.1 With respect to Where any Personal Data are Processed in connection with the parties' exercise of the Parties’ rights and obligations under this Call Off Contract, the parties agree Parties acknowledge that DFID the Customer is the Data Controller and that the Supplier is the Data Processor.
7.2 . The Supplier shall:
7.2.1 process : Process the Personal Data only in accordance with instructions from DFID (which may be specific instructions the Customer to perform its obligations under this Call Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or instructions unlawful Processing of a general nature the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in this Contract Clauses 46 (Security Requirements) and 46.1.5 (Protection of Customer Data); not disclose or as otherwise notified by DFID to the Supplier during the Term);
7.2.2 process transfer the Personal Data only to the extent, and in such manner, as is any third party or Supplier Personnel unless necessary for the provision of the Services Goods and the delivery of purchased Goods and, for any disclosure or as is required by Law or any Regulatory Body;
7.2.3 implement appropriate technical and organisational measures to protect the transfer of Personal Data against unauthorised or unlawful processing and against accidental lossto any third party, destruction, damage, alteration or disclosure. These measures shall be appropriate to obtain the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature prior written consent of the Personal Data which Customer (save where such disclosure or transfer is to be protected;
7.2.4 specifically authorised under this Call Off Contract); take reasonable steps to ensure the reliability and integrity of any Supplier’s Supplier Personnel who have access to the Personal Data;
7.2.5 obtain prior written consent from DFID in order to transfer the Personal Data to any Sub- contractors or Affiliates for the provision of the Services;
7.2.6 and ensure that all the Supplier Personnel: are aware of and comply with the Supplier’s Personnel required to access the Personal Data duties under Clause 46.1.32 and Clauses 46 (Security Requirements), 46.1.5 (Protection of Customer Data) and 46.1.13(c) (Confidentiality); are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 7;
7.2.7 ensure that none of Supplier’s Personnel do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by DFID;
7.2.8 the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify DFID the Customer within five (within two 5) Working Days) Days if it receives:
7.2.8.1 a request : from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to have access rectify, block or erase any Personal Data or any other request, complaint or communication relating to that personthe Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or
7.2.8.2 or a complaint request from any third party for disclosure of Personal Data where compliance with such request is required or request relating purported to DFID’s obligations under be required by Law; provide the Data Protection Legislation;
7.2.9 provide DFID Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint complaint, communication or request mademade (as referred to at Clause 46.1.32(h)), including by:
7.2.9.1 providing DFID by promptly providing: the Customer with full details and copies of the complaint complaint, communication or request;
7.2.9.2 complying ; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with a data access request the Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation DPA; and in accordance with DFID’s instructions;
7.2.9.3 providing DFID the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject (within the timescales required by DFID)Subject; and
7.2.9.4 providing DFID with any information and if requested by DFID;
7.2.10 permit DFID or its representatives (subject to reasonable the Customer, provide a written description of the measures that have been taken and appropriate confidentiality undertakings)technical and organisational security measures in place, to inspect and audit, in accordance with clause 16 (Access and Audit), Supplier’s data processing activities (and/or those for the purpose of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by DFID to enable DFID to verify and/or procure that the Supplier is in full compliance with its obligations pursuant to Clause 46.1.32 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 46.1.33(b) to 46.1.33(g); the Supplier shall set out in its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Customer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Customer and the Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Customer to comply with any obligations under the DPA and shall not perform its obligations under this Contract;Call Off Contract in such a way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 1 contract
Samples: Call Off Order Form
