Common use of Relationship of the Parties and Processor Obligations Clause in Contracts

Relationship of the Parties and Processor Obligations. 2.1 The parties acknowledge that the factual arrangement between them dictates the role of each party in respect of the Applicable Data Protection Laws. Notwithstanding the foregoing, the parties anticipate that, in respect of the Personal Data, as between Customer and Supplier for the purposes of the Agreement, Customer is deemed to be the Controller and Supplier is deemed to be the Processor. The subject matter and duration of the Processing of Personal Data by Supplier, the nature and purpose of such Processing and the type (and categories) of Personal Data being Processed will be detailed in the applicable Order. Nothing within the Agreement relieves Supplier of its own direct responsibilities and liabilities under the GDPR. 2.2 Each party shall make due notification to any relevant Regulator. Supplier undertakes to Customer that it will take all necessary steps to ensure that it operates at all times in accordance with the requirements of the Applicable Data Protection Laws and Supplier will, at its own expense, assist Customer in discharging its obligations under the Applicable Data Protection Laws (as more particularly detailed in this clause 2). Supplier shall not, whether by act or omission, cause Customer to breach any of its obligations under the Applicable Data Protection Laws. 2.3 Supplier shall not disclose the Personal Data to any third party (other than Subprocessors appointed in accordance with clause 2.5) without the prior written consent of Customer, save in relation to requests for cooperation under Article 31 of GDPR or Third Party Requests where Supplier is prohibited by EU law or regulation from notifying Customer, in which case it shall use reasonable endeavours to advise Customer in advance of such disclosure and in any event as soon as practicable thereafter. 2.4 To the extent that Supplier or any Subprocessor Processes any Personal Data (as a Processor) on behalf of Customer (as a Controller), Supplier shall (and shall procure that the Subprocessor shall): 2.4.1 only Process the Personal Data in accordance with the Agreement and any instructions of Customer unless required to do so by Applicable Law; 2.4.2 unless prohibited by Applicable Law, notify Customer immediately (and in any event within twenty-four (24) hours of becoming aware of the same) if it considers, in its opinion (acting reasonably) that it is required by Applicable Law to act other than in accordance with the instructions of Customer, including where it believes that any of Customer' instructions under clause 2.4.1 infringes any of the Applicable Data Protection Laws. Without prejudice to the foregoing, where Supplier is required by Applicable Law to Process the Personal Data other than in accordance with instructions given by the Customer under clause 2.4.1 , Supplier must, unless prohibited by Applicable Law, notify Customer of such requirement prior to the relevant Processing taking; 2.4.3 take, implement and maintain appropriate technical and organisational security measures which are sufficient to comply with at least the obligations imposed on Customer by the Security Requirements. In the event that Supplier becomes aware of any conflict or inconsistency between this clause 2 and the Security Requirements, Supplier shall immediately notify Customer of such conflict or inconsistency and Supplier shall comply with this clause 2; 2.4.4 Supplier shall maintain complete and accurate records to demonstrate compliance with this clause 2 and the Applicable Data Protection Laws and shall permit Customer (and/or its respective auditors or authorised agents), upon reasonable prior notice, to conduct audits or inspections of Supplier's (and its Subprocessors) compliance with the requirements of this clause 2 and Article 28 of GDPR, and shall allow provide all reasonable assistance in order to assist Customer in exercising its audit rights under this clause; 2.4.5 not transfer any such Personal Data to any location or territory outside the European Economic Area except with the prior written consent of Customer and in accordance with any terms Customer may impose on such transfer as Customer deems necessary to satisfy the International Transfer Requirements (including, without limitation, requiring Supplier to enter into and execute, or at the request of Customer procure that a Subprocessor enters into and executes, the form of clauses contained in EU Commission Decision 2010/87/EU of 5 February 2010); 2.4.6 without prejudice to the generality the Agreement, take all reasonable steps to ensure the reliability and integrity of any of the Staff who have access to the Personal Data by ensuring that each member of Staff: (i) shall have undergone reasonable levels of training on the Applicable Data Protection Laws and in the care and handling of Personal Data: and (ii) shall have entered into appropriate contractually binding confidentiality undertakings and comply with the obligations set out in this clause 2, and Supplier shall ensure that only such Staff required by it to assist it in meeting its obligations under the Agreement shall have access to such Personal Data, and no other Staff shall have access to such Personal Data; 2.4.7 without limitation to, or prejudice to the generality of, schedule 3, inform Customer promptly and in any event within twenty-four (24) hours in the event that Supplier (or its Subprocessor) fails to comply with this clause 2, and within forty-eight (48) hours in the event that Supplier receives a Data Subject Request or Regulator Correspondence, and shall: (i) not disclose any Personal Data in response to any Data Subject Requests or Regulator Correspondence without first consulting with, and obtaining the consent of, Customer: and (ii) provide Customer with all reasonable co-operation and assistance required by Customer in relation to any such Data Subject Request or Regulator Correspondence. 2.4.8 comply with the obligations imposed upon a Processor under the Applicable Data Protection Laws; and 2.4.9 assist Customer to comply with the obligations imposed on Customer by the Applicable Data Protection Laws, including without limitation: (i) compliance with the Security Requirements; (ii) notifications to regulatory authorities and/or Data Subjects required by the Applicable Data Protection Laws: and (iii) undertaking any Data Protection impact assessments. 2.4.10 Upon, and in any case within twenty-four (24) hours of becoming aware of any actual or suspected, threatened or ‘near miss’ incident of accidental or unlawful destruction or accidental loss, alteration, unauthorised or accidental disclosure of, or access to, the Personal Data or other Personal Data Breach in relation to the Personal Data, Supplier shall notify Customer of the incident or breach (and follow-up in writing), and shall thereupon: (i) conduct, or support Customer in conducting, computer forensic investigations and analysis that Customer requires in respect of such incident or breach;

Relationship of the Parties and Processor Obligations. 2.1 The parties acknowledge that the factual arrangement between them dictates the role of each party in respect of the Applicable Data Protection Laws. Notwithstanding the foregoing, the parties anticipate that, in respect of the Personal Data, as between Customer and Supplier for the purposes of the Agreement, Customer is deemed to be the Controller and Supplier is deemed to be the Processor. The subject matter and duration of the Processing of Personal Data by Supplier, the nature and purpose of such Processing and the type (and categories) of Personal Data being Processed will be detailed in the applicable Order. Nothing within the Agreement relieves Supplier of its own direct responsibilities and liabilities under the GDPR. 2.2 Each party shall make due notification to any relevant Regulator. Supplier undertakes to Customer that it will take all necessary steps to ensure that it operates at all times in accordance with the requirements of the Applicable Data Protection Laws and Supplier will, at its own expense, assist Customer in discharging its obligations under the Applicable Data Protection Laws (as more particularly detailed detai led in this clause 2). Supplier shall not, whether by act or omission, cause Customer to breach any of its obligations under the Applicable Data Protection Laws. 2.3 Supplier shall not disclose the Personal Data to any third party (other than Subprocessors appointed in accordance with clause 2.5) without the prior written consent of Customer, save in relation to requests for cooperation under Article 31 of GDPR or Third Party Requests where Supplier is prohibited by EU law or regulation from notifying Customer, in which case it shall use reasonable endeavours to advise Customer in advance of such disclosure and in any event as soon as practicable thereafter. 2.4 To the extent that Supplier or any Subprocessor Processes any Personal Data (as a Processor) on behalf of Customer (as a Controller), Supplier shall (and shall procure that the Subprocessor shall): 2.4.1 only Process the Personal Data in accordance with the Agreement and any instructions of Customer unless required to do so by Applicable Law; 2.4.2 unless prohibited by Applicable Law, notify Customer immediately (and in any event within twenty-four (24) hours of becoming aware of the same) if it considers, in its opinion (acting reasonably) that it is required by Applicable Law to act other than in accordance with the instructions of Customer, including where it believes that any of Customer' instructions under clause 2.4.1 infringes any of the Applicable Data Protection Laws. Without prejudice to the foregoing, where Supplier is required by Applicable Law to Process the Personal Data other than in accordance with instructions given by the Customer under clause 2.4.1 , Supplier must, unless prohibited by Applicable Law, notify Customer of such requirement prior to the relevant Processing taking; 2.4.3 take, implement and maintain appropriate technical and organisational security measures which are sufficient to comply with at least the obligations imposed on Customer by the Security Requirements. In the event that Supplier becomes aware of any conflict or inconsistency between this clause 2 and the Security Requirements, Supplier shall immediately notify Customer of such conflict or inconsistency and Supplier shall comply with this clause 2; 2.4.4 Supplier shall maintain complete and accurate records to demonstrate compliance with this clause 2 and the Applicable Data Protection Laws and shall permit Customer (and/or its respective auditors or authorised agents), upon reasonable prior notice, to conduct audits or inspections of Supplier's (and its Subprocessors) compliance with the requirements of this clause 2 and Article 28 of GDPR, and shall allow provide all reasonable assistance in order to assist Customer in exercising its audit rights under this clause; 2.4.5 not transfer any such Personal Data to any location or territory outside the European Economic Area except with the prior written consent of Customer and in accordance with any terms Customer may impose on such transfer as Customer deems necessary to satisfy the International Transfer Requirements (including, without limitation, requiring Supplier to enter into and execute, or at the request of Customer procure that a Subprocessor enters into and executes, the form of clauses contained in EU Commission Decision 2010/87/EU of 5 February 2010); 2.4.6 without prejudice to the generality the Agreement, take all reasonable steps to ensure the reliability and integrity of any of the Staff who have access to the Personal Data by ensuring that each member of Staff: (i) shall have undergone reasonable levels of training on the Applicable Data Protection Laws and in the care and handling of Personal Data: and (ii) shall have entered into appropriate contractually binding confidentiality undertakings and comply with the obligations set out in this clause 2, and Supplier shall ensure that only such Staff required by it to assist it in meeting its obligations under the Agreement shall sha ll have access to such Personal Data, and no other Staff shall have access to such Personal Data; 2.4.7 without limitation to, or prejudice to the generality of, schedule 3, inform Customer promptly and in any event within twenty-twenty- four (24) hours in the event that Supplier (or its Subprocessor) fails to comply with this clause 2, and within forty-eight (48) hours in the event that Supplier receives a Data Subject Request or Regulator Correspondence, and shall: (i) not disclose any Personal Data in response to any Data Subject Requests or Regulator Correspondence without first consulting with, and obtaining the consent of, Customer: and (ii) provide Customer with all reasonable co-operation and assistance required by Customer in relation to any such Data Subject Request or Regulator Correspondence. 2.4.8 comply with the obligations imposed upon a Processor under the Applicable Data Protection Laws; and 2.4.9 assist Customer to comply with the obligations imposed on Customer by the Applicable Data Protection Laws, including without limitation: (i) compliance with the Security Requirements; (ii) notifications to regulatory authorities and/or Data Subjects required by the Applicable Data Protection Laws: and (iii) undertaking any Data Protection impact assessments. 2.4.10 Upon, and in any case within twenty-four (24) hours of becoming aware of any actual or suspected, threatened or ‘near miss’ incident of accidental or unlawful destruction or accidental loss, alteration, unauthorised or accidental disclosure of, or access to, the Personal Data or other Personal Data Breach in relation to the Personal Data, Supplier shall notify Customer of the incident or breach (and follow-up in writing), and shall thereupon: (i) conduct, or support Customer in conducting, computer forensic investigations and analysis that Customer requires in respect of such incident or breach; (ii) implement any actions or remedial measures to restore the security of the compromised Personal Data and/or Confidential Information and which Customer considers necessary as a result of the breach; and (iii) support Customer to make any required notifications to any relevant Regulator and affected Data Subjects. 2.5 Supplier shall not appoint any Subprocessor to process any Personal Data on behalf of Customer without Customer’s prior specific written consent to the appointment of the proposed Subprocessor. If a Subprocessor is approved by Customer, Supplier shall ensure that such Subprocessor is bound by the terms of a contract that imposes on the Subcontractor the same data protection obligations as those set out in this clause 2. Supplier shall remain fully liable to Customer for the performance of the Subprocessor‘s obligations and any acts or omissions of such Subprocessors. 2.6 The Supplier shall on demand, at all times during and after the Term, indemnify each member of the Customer and its affilaites and keep each of Customer and its Affiliates indemnified and held harmless from and against: 2.6.1 except to the extent covered by clauses 2.6.2 or 2.6.3, any losses suffered or incurred by, awarded against or agreed to be paid by Customer and/or its Affiliates to the extent arising from Supplier's failure to comply with this clause 2; 2.6.2 any fines levied by any relevant Regulator on Customer, or the costs of an investigative, corrective or compensatory action required by any relevant Regulator, or of defending a claim made by any relevant Regulator, where those fines, costs or claims have arisen as a result of a breach of this clause 2 by Supplier or its Subprocessors; and 2.6.3 any losses suffered or incurred by, awarded against or agreed to be paid by the relevant Customer and/or Affiliates pursuant to a claim, action or challenge made by a third party against Customer and/or its affiliates (including by a Data Subject) as a result of Supplier's failure to comply with this clause 2. 2.7 Upon the cessation of the services or the termination of the Agreement, for whatever reason, Supplier will, at Customer’s option, delete or return all existing copies of Customer’s Personal Data under the Agreement to Customer, unless the Applicable Data Protection Laws or other relevant laws require storage of the Personal Data. To the extent necessary to give it effect and without limitation where Supplier continues to process Personal Data for Customer, this clause will survive the termination, for whatever reason, of the Agreement.