{"component": "clause", "props": {"groups": [{"samples": [{"hash": "fN3Ji1phkuj", "uri": "/contracts/fN3Ji1phkuj#security-of", "label": "Data Processing Addendum", "score": 36.5181450061, "published": true}, {"hash": "7hJABmYKiDa", "uri": "/contracts/7hJABmYKiDa#security-of", "label": "Data Protection and Security Addendum", "score": 36.1746749878, "published": true}, {"hash": "6P8mqXYFi9O", "uri": "/contracts/6P8mqXYFi9O#security-of", "label": "Participating Addendum", "score": 35.3962402344, "published": true}], "snippet_links": [{"key": "data-importer", "type": "clause", "offset": [19, 32]}, {"key": "data-exporter", "type": "definition", "offset": [68, 81]}, {"key": "to-ensure", "type": "clause", "offset": [148, 157]}, {"key": "security-of-the-data", "type": "clause", "offset": [162, 182]}, {"key": "breach-of-security", "type": "definition", "offset": [215, 233]}, {"key": "unauthorised-disclosure", "type": "clause", "offset": [299, 322]}, {"key": "personal-data-breach", "type": "definition", "offset": [360, 380]}, {"key": "the-parties-shall", "type": "clause", "offset": [432, 449]}, {"key": "state-of-the-art", "type": "clause", "offset": [474, 490]}, {"key": "costs-of", "type": "clause", "offset": [496, 504]}, {"key": "the-nature", "type": "clause", "offset": [521, 531]}, {"key": "risks-involved", "type": "clause", "offset": [585, 599]}, {"key": "the-processing", "type": "clause", "offset": [603, 617]}, {"key": "data-subjects", "type": "definition", "offset": [626, 639]}, {"key": "in-particular", "type": "clause", "offset": [659, 672]}, {"key": "purpose-of-processing", "type": "clause", "offset": [774, 795]}, {"key": "in-case-of", "type": "clause", "offset": [829, 839]}, {"key": "additional-information", "type": "clause", "offset": [862, 884]}, {"key": "the-personal-data", "type": "definition", "offset": [901, 918]}, {"key": "specific-data", "type": "clause", "offset": [924, 937]}, {"key": "control-of-the", "type": "clause", "offset": [996, 1010]}, {"key": "complying-with", "type": "clause", "offset": [1029, 1043]}, {"key": "the-technical", "type": "clause", "offset": [1125, 1138]}, {"key": "annex-ii", "type": "clause", "offset": [1180, 1188]}, {"key": "continue-to-provide", "type": "clause", "offset": [1269, 1288]}, {"key": "an-appropriate", "type": "clause", "offset": [1289, 1303]}, {"key": "access-to-the", "type": "clause", "offset": [1357, 1370]}, {"key": "members-of", "type": "clause", "offset": [1388, 1398]}, {"key": "to-the-extent", "type": "clause", "offset": [1418, 1431]}, {"key": "necessary-for", "type": "definition", "offset": [1441, 1454]}, {"key": "monitoring-of-the-contract", "type": "clause", "offset": [1490, 1516]}, {"key": "obligation-of-confidentiality", "type": "clause", "offset": [1670, 1699]}, {"key": "a-personal", "type": "clause", "offset": [1721, 1731]}, {"key": "personal-data-processed", "type": "clause", "offset": [1755, 1778]}, {"key": "these-clauses", "type": "clause", "offset": [1806, 1819]}, {"key": "appropriate-measures", "type": "clause", "offset": [1850, 1870]}, {"key": "to-mitigate", "type": "definition", "offset": [1913, 1924]}, {"key": "adverse-effects", "type": "clause", "offset": [1929, 1944]}, {"key": "notify-the", "type": "clause", "offset": [1975, 1985]}, {"key": "without-undue-delay", "type": "definition", "offset": [2000, 2019]}, {"key": "details-of", "type": "clause", "offset": [2097, 2107]}, {"key": "contact-point", "type": "definition", "offset": [2110, 2123]}, {"key": "more-information", "type": "definition", "offset": [2130, 2146]}, {"key": "description-of-the", "type": "definition", "offset": [2166, 2184]}, {"key": "nature-of-the", "type": "clause", "offset": [2185, 2198]}, {"key": "number-of", "type": "clause", "offset": [2261, 2270]}, {"key": "data-records", "type": "definition", "offset": [2298, 2310]}, {"key": "where-appropriate", "type": "definition", "offset": [2415, 2432]}, {"key": "provide-all-information", "type": "clause", "offset": [2532, 2555]}, {"key": "initial-notification", "type": "clause", "offset": [2578, 2598]}, {"key": "the-information", "type": "clause", "offset": [2613, 2628]}, {"key": "further-information", "type": "clause", "offset": [2648, 2667]}, {"key": "cooperate-with", "type": "clause", "offset": [2774, 2788]}, {"key": "assist-the", "type": "clause", "offset": [2793, 2803]}, {"key": "comply-with", "type": "clause", "offset": [2849, 2860]}, {"key": "authority-and", "type": "clause", "offset": [2959, 2972]}, {"key": "nature-of-processing", "type": "clause", "offset": [3025, 3045]}, {"key": "available-to", "type": "definition", "offset": [3066, 3078]}], "size": 51, "snippet": "processing\n(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter \u2018personal data breach\u2019). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.\n(b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.\n(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.\n(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.", "hash": "1cb41a880c10e5983f8e17981352da95", "id": 1}, {"samples": [{"hash": "h7rM2guhSQa", "uri": "/contracts/h7rM2guhSQa#security-of", "label": "Data Processing Agreement", "score": 33.4368782043, "published": true}, {"hash": "5DrdrPEEBQ9", "uri": "/contracts/5DrdrPEEBQ9#security-of", "label": "Data Processing Agreement", "score": 33.3657035828, "published": true}, {"hash": "dSQY2prl5PK", "uri": "/contracts/dSQY2prl5PK#security-of", "label": "Standard Contractual Clauses", "score": 33.1858139038, "published": true}], "snippet_links": [{"key": "state-of-the-art", "type": "clause", "offset": [71, 87]}, {"key": "costs-of", "type": "clause", "offset": [93, 101]}, {"key": "the-nature", "type": "clause", "offset": [121, 131]}, {"key": "purposes-of-processing", "type": "clause", "offset": [152, 174]}, {"key": "rights-and-freedoms", "type": "clause", "offset": [238, 257]}, {"key": "data-controller-and-data-processor", "type": "clause", "offset": [284, 318]}, {"key": "measures-to", "type": "clause", "offset": [376, 387]}, {"key": "the-risks", "type": "clause", "offset": [475, 484]}, {"key": "the-processing", "type": "clause", "offset": [545, 559]}, {"key": "to-mitigate", "type": "definition", "offset": [583, 594]}, {"key": "encryption-of-personal-data", "type": "clause", "offset": [704, 731]}, {"key": "ability-to-ensure", "type": "clause", "offset": [740, 757]}, {"key": "availability-and-resilience-of-processing-systems-and-services", "type": "clause", "offset": [794, 856]}, {"key": "access-to-personal-data", "type": "clause", "offset": [905, 928]}, {"key": "in-the-event-of-a", "type": "clause", "offset": [950, 967]}, {"key": "technical-incident", "type": "definition", "offset": [980, 998]}, {"key": "measures-for-ensuring", "type": "clause", "offset": [1111, 1132]}, {"key": "security-of-the", "type": "clause", "offset": [1137, 1152]}, {"key": "according-to-article", "type": "clause", "offset": [1170, 1190]}, {"key": "natural-persons", "type": "clause", "offset": [1322, 1337]}, {"key": "provide-the", "type": "clause", "offset": [1459, 1470]}, {"key": "all-information", "type": "clause", "offset": [1491, 1506]}, {"key": "assist-the", "type": "clause", "offset": [1595, 1605]}, {"key": "pursuant-to-articles", "type": "clause", "offset": [1686, 1706]}, {"key": "inter-alia", "type": "clause", "offset": [1719, 1729]}, {"key": "providing-the", "type": "clause", "offset": [1730, 1743]}, {"key": "the-technical", "type": "clause", "offset": [1788, 1801]}, {"key": "other-information", "type": "definition", "offset": [1917, 1934]}, {"key": "necessary-for", "type": "definition", "offset": [1935, 1948]}, {"key": "comply-with-the", "type": "clause", "offset": [1972, 1987]}, {"key": "under-article", "type": "definition", "offset": [2017, 2030]}, {"key": "assessment-of-the", "type": "clause", "offset": [2065, 2082]}, {"key": "identified-risks", "type": "clause", "offset": [2119, 2135]}, {"key": "further-measures", "type": "clause", "offset": [2144, 2160]}, {"key": "additional-measures", "type": "clause", "offset": [2324, 2343]}], "size": 18, "snippet": "processing\n1. Article 32 GDPR stipulates that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural per- sons, the data controller and data processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The data controller shall evaluate the risks to the rights and freedoms of natural per- sons inherent in the processing and implement measures to mitigate those risks. De- pending on their relevance, the measures may include the following:\na. Pseudonymisation and encryption of personal data;\nb. the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;\nc. the ability to restore the availability and access to personal data in a timely man- ner in the event of a physical or technical incident;\nd. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the pro- cessing.\n2. According to Article 32 GDPR, the data processor shall also \u2013 independently from the data controller \u2013 evaluate the risks to the rights and freedoms of natural persons in- herent in the processing and implement measures to mitigate those risks. To this ef- fect, the data controller shall provide the data processor with all information necessary to identify and evaluate such risks.\n3. Furthermore, the data processor shall assist the data controller in ensuring compli- ance with the data controller\u2019s obligations pursuant to Articles 32 GDPR, by inter alia providing the data controller with information concerning the technical and organisa- tional measures already implemented by the data processor pursuant to Article 32 GDPR along with all other information necessary for the data controller to comply with the data controller\u2019s obligation under Article 32 GDPR. If subsequently \u2013 in the assessment of the data controller \u2013 mitigation of the identified risks require further measures to be implemented by the data processor, than those already implemented by the data processor pursuant to Article 32 GDPR, the data controller shall specify these additional measures to be implemented in Appendix C.", "hash": "719abc71b4daf516fefa5ffa3649a381", "id": 2}, {"samples": [{"hash": "eL8yclEFvqQ", "uri": "/contracts/eL8yclEFvqQ#security-of", "label": "Clinical Trial Agreement", "score": 35.9020805359, "published": true}, {"hash": "53i4kvCXl50", "uri": "/contracts/53i4kvCXl50#security-of", "label": "Data Processing Agreement", "score": 35.7557144165, "published": true}, {"hash": "2ifon0Ofy3j", "uri": "/contracts/2ifon0Ofy3j#security-of", "label": "Cooperation Agreement", "score": 35.2178878784, "published": true}], "snippet_links": [], "size": 15, "snippet": "processing", "hash": "4374990dedc873c6a9417a355a2ac4cf", "id": 3}, {"samples": [{"hash": "3liNtoxwE78", "uri": "/contracts/3liNtoxwE78#security-of", "label": "Data Processing Agreement", "score": 34.07837677, "published": true}, {"hash": "btIcEvsLklb", "uri": "/contracts/btIcEvsLklb#security-of", "label": "Supplementary Terms and Conditions for Data Processing", "score": 33.7885665894, "published": true}, {"hash": "9lIxmbPGJe6", "uri": "/contracts/9lIxmbPGJe6#security-of", "label": "Data Processing Agreement", "score": 33.5790977478, "published": true}], "snippet_links": [{"key": "the-processor", "type": "clause", "offset": [14, 27]}, {"key": "technical-and-organisational-measures", "type": "clause", "offset": [57, 94]}, {"key": "annex-iii", "type": "clause", "offset": [108, 117]}, {"key": "to-ensure", "type": "clause", "offset": [118, 127]}, {"key": "the-personal-data", "type": "definition", "offset": [144, 161]}, {"key": "breach-of-security", "type": "definition", "offset": [207, 225]}, {"key": "unauthorised-disclosure", "type": "clause", "offset": [291, 314]}, {"key": "access-to-the-data", "type": "clause", "offset": [318, 336]}, {"key": "personal-data-breach", "type": "definition", "offset": [338, 358]}, {"key": "the-parties-shall", "type": "clause", "offset": [409, 426]}, {"key": "state-of-the-art", "type": "clause", "offset": [451, 467]}, {"key": "costs-of", "type": "clause", "offset": [473, 481]}, {"key": "the-nature", "type": "clause", "offset": [498, 508]}, {"key": "purposes-of-processing", "type": "clause", "offset": [529, 551]}, {"key": "risks-involved", "type": "clause", "offset": [560, 574]}, {"key": "data-subjects", "type": "definition", "offset": [583, 596]}, {"key": "grant-access", "type": "clause", "offset": [621, 633]}, {"key": "members-of", "type": "clause", "offset": [680, 690]}, {"key": "to-the-extent", "type": "clause", "offset": [710, 723]}, {"key": "necessary-for", "type": "definition", "offset": [733, 746]}, {"key": "monitoring-of-the-contract", "type": "clause", "offset": [774, 800]}, {"key": "an-appropriate", "type": "clause", "offset": [949, 963]}, {"key": "obligation-of-confidentiality", "type": "clause", "offset": [974, 1003]}], "size": 9, "snippet": "processing\na) The processor shall at least implement the technical and organisational measures specified in Annex III to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.\nb) The processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The processor shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.", "hash": "873357719f59e05f39fd2fe9a1381ada", "id": 4}, {"samples": [{"hash": "9AH5Idx3fgt", "uri": "/contracts/9AH5Idx3fgt#security-of", "label": "Data Processing Agreement", "score": 27.0602321625, "published": true}, {"hash": "9mfg6zd5VwL", "uri": "/contracts/9mfg6zd5VwL#security-of", "label": "Data Processing Agreement", "score": 27.0588645935, "published": true}], "snippet_links": [{"key": "data-importer", "type": "clause", "offset": [45, 58]}, {"key": "data-exporter", "type": "definition", "offset": [94, 107]}, {"key": "to-ensure", "type": "clause", "offset": [174, 183]}, {"key": "security-of-the-data", "type": "clause", "offset": [188, 208]}, {"key": "breach-of-security", "type": "definition", "offset": [241, 259]}, {"key": "unauthorised-disclosure", "type": "clause", "offset": [325, 348]}, {"key": "personal-data-breach", "type": "definition", "offset": [386, 406]}, {"key": "state-of-the-art", "type": "clause", "offset": [493, 509]}, {"key": "costs-of", "type": "clause", "offset": [515, 523]}, {"key": "the-nature", "type": "clause", "offset": [540, 550]}, {"key": "risks-involved", "type": "clause", "offset": [604, 618]}, {"key": "the-processing", "type": "clause", "offset": [622, 636]}, {"key": "the-parties-shall", "type": "clause", "offset": [659, 676]}, {"key": "in-particular", "type": "clause", "offset": [677, 690]}, {"key": "purpose-of-processing", "type": "clause", "offset": [792, 813]}, {"key": "in-case-of", "type": "clause", "offset": [847, 857]}, {"key": "additional-information", "type": "clause", "offset": [880, 902]}, {"key": "the-personal-data", "type": "definition", "offset": [919, 936]}, {"key": "specific-data", "type": "clause", "offset": [942, 955]}, {"key": "control-of-the", "type": "clause", "offset": [1014, 1028]}, {"key": "the-controller", "type": "clause", "offset": [1046, 1060]}, {"key": "complying-with", "type": "clause", "offset": [1065, 1079]}, {"key": "the-technical", "type": "clause", "offset": [1161, 1174]}, {"key": "annex-ii", "type": "clause", "offset": [1216, 1224]}, {"key": "continue-to-provide", "type": "clause", "offset": [1305, 1324]}, {"key": "an-appropriate", "type": "clause", "offset": [1325, 1339]}, {"key": "datos-personales", "type": "definition", "offset": [1679, 1695]}, {"key": "las-partes", "type": "definition", "offset": [2078, 2088]}, {"key": "access-to-the-data", "type": "clause", "offset": [2838, 2856]}, {"key": "members-of", "type": "clause", "offset": [2860, 2870]}, {"key": "to-the-extent", "type": "clause", "offset": [2890, 2903]}, {"key": "necessary-for", "type": "definition", "offset": [2913, 2926]}, {"key": "monitoring-of-the-contract", "type": "clause", "offset": [2962, 2988]}, {"key": "obligation-of-confidentiality", "type": "clause", "offset": [3142, 3171]}, {"key": "a-personal", "type": "clause", "offset": [3595, 3605]}, {"key": "personal-data-processed", "type": "clause", "offset": [3629, 3652]}, {"key": "these-clauses", "type": "clause", "offset": [3680, 3693]}, {"key": "appropriate-measures", "type": "clause", "offset": [3724, 3744]}, {"key": "to-mitigate", "type": "definition", "offset": [3787, 3798]}, {"key": "adverse-effects", "type": "clause", "offset": [3803, 3818]}, {"key": "without-undue-delay", "type": "definition", "offset": [3857, 3876]}, {"key": "where-appropriate", "type": "definition", "offset": [3901, 3918]}, {"key": "details-of", "type": "clause", "offset": [4025, 4035]}, {"key": "contact-point", "type": "definition", "offset": [4038, 4051]}, {"key": "more-information", "type": "definition", "offset": [4058, 4074]}, {"key": "description-of-the", "type": "definition", "offset": [4094, 4112]}, {"key": "nature-of-the", "type": "clause", "offset": [4113, 4126]}, {"key": "number-of", "type": "clause", "offset": [4189, 4198]}, {"key": "data-subjects", "type": "definition", "offset": [4199, 4212]}, {"key": "data-records", "type": "definition", "offset": [4226, 4238]}, {"key": "provide-all-information", "type": "clause", "offset": [4446, 4469]}, {"key": "initial-notification", "type": "clause", "offset": [4492, 4512]}, {"key": "the-information", "type": "clause", "offset": [4527, 4542]}, {"key": "further-information", "type": "clause", "offset": [4562, 4581]}, {"key": "la-notificaci\u00f3n", "type": "clause", "offset": [5700, 5715]}, {"key": "cooperate-with", "type": "clause", "offset": [5923, 5937]}, {"key": "assist-the", "type": "clause", "offset": [5942, 5952]}, {"key": "comply-with", "type": "clause", "offset": [5998, 6009]}, {"key": "notify-the", "type": "clause", "offset": [6128, 6138]}, {"key": "authority-and", "type": "clause", "offset": [6161, 6174]}, {"key": "nature-of-processing", "type": "clause", "offset": [6227, 6247]}, {"key": "available-to", "type": "definition", "offset": [6268, 6280]}], "size": 8, "snippet": "processing-Seguridad del tratamiento\n(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter \u201cpersonal data breach\u201d). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter or the controller. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security. El importador de datos y, durante la transferencia, tambi\u00e9n el exportador de datos aplicar\u00e1n medidas t\u00e9cnicas y organizativas adecuadas para garantizar la seguridad de los datos; en particular, la protecci\u00f3n contra vulneraciones de la seguridad que ocasionen la destrucci\u00f3n, p\u00e9rdida o alteraci\u00f3n accidental o il\u00edcita de datos personales, o la comunicaci\u00f3n o acceso no autorizados (en lo sucesivo, \u201cvulneraci\u00f3n de la seguridad de los datos personales\u201d). A la hora de determinar un nivel adecuado de seguridad, tendr\u00e1n debidamente en cuenta el estado de la t\u00e9cnica, los costes de aplicaci\u00f3n, la naturaleza, el alcance, el contexto y los fines del tratamiento, y los riesgos que entra\u00f1a el tratamiento para el interesado. Las partes deber\u00e1n considerar, en particular, el cifrado o la seudonimizaci\u00f3n, especialmente durante la transmisi\u00f3n, si de este modo se puede cumplir la finalidad del tratamiento. En caso de seudonimizaci\u00f3n, la informaci\u00f3n adicional necesaria para atribuir los datos personales a un interesado espec\u00edfico quedar\u00e1, en la medida de lo posible, bajo el control exclusivo del exportador de datos o del responsable. Al cumplir las obligaciones que le impone el presente p\u00e1rrafo, el importador de datos aplicar\u00e1 al menos las medidas t\u00e9cnicas y organizativas que figuran en el anexo II. El importador de datos llevar\u00e1 a cabo controles peri\u00f3dicos para garantizar que estas medidas sigan proporcionando un nivel de seguridad adecuado.\n(b) The data importer shall grant access to the data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. El importador de datos solamente conceder\u00e1 acceso a los datos a los miembros de su personal en la medida en que sea estrictamente necesario para la ejecuci\u00f3n, la gesti\u00f3n y el seguimiento del contrato. Garantizar\u00e1 que las personas autorizadas para tratar los datos personales se hayan comprometido a respetar la confidencialidad o est\u00e9n sujetas a una adecuada obligaci\u00f3n vinculante de confidencialidad.\n(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify, without undue delay, the data exporter and, where appropriate and feasible, the controller after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the data breach, including measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay. En caso de vulneraci\u00f3n de la seguridad de datos personales tratados por el importador de datos en virtud del presente \u2587\u2587\u2587\u2587\u2587\u2587 de cl\u00e1usulas, el importador de datos adoptar\u00e1 medidas adecuadas para ponerle remedio y, en particular, medidas para mitigar los efectos negativos. El importador de datos tambi\u00e9n notificar\u00e1 sin dilaci\u00f3n indebida al exportador de datos y, cuando proceda y sea viable, al responsable, cuando cobre conocimiento de la vulneraci\u00f3n de la seguridad. Dicha notificaci\u00f3n incluir\u00e1 los datos de un punto de contacto en el que pueda obtenerse m\u00e1s informaci\u00f3n, una descripci\u00f3n de la naturaleza de la vulneraci\u00f3n (en la que figuren, cuando sea posible, las categor\u00edas y el n\u00famero aproximado de interesados y registros de datos personales afectados), las consecuencias probables y las medidas adoptadas o propuestas para poner remedio a la vulneraci\u00f3n de la seguridad, especialmente medidas para mitigar sus posibles efectos negativos. Cuando y en la medida en que no se pueda proporcionar toda la informaci\u00f3n al mismo tiempo, en la notificaci\u00f3n inicial se proporcionar\u00e1 la informaci\u00f3n de que se disponga en ese momento y, a medida que se vaya recabando, la informaci\u00f3n adicional se \u2587\u2587\u2587 proporcionando sin dilaci\u00f3n indebida.\n(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify its controller so that the latter may in turn notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer. El importador de datos \u2587\u2587\u2587\u2587\u2587\u2587 colaborar con el exportador de datos y ayudarle para que pueda cumplir las obligaciones que le atribuye el Reglamento (UE) 2016/679, especialmente en cuanto a la notificaci\u00f3n al responsable para que este luego lo notifique a la autoridad de control competente y a los interesados afectados, teniendo en cuenta la naturaleza del tratamiento y la informaci\u00f3n de que disponga el importador de datos.", "hash": "6bd62a6b4c0675da17eb5eb74c28dc7b", "id": 5}, {"samples": [{"hash": "1uVSOBuq6MG", "uri": "/contracts/1uVSOBuq6MG#security-of", "label": "Data Processor Agreement", "score": 34.1490745544, "published": true}, {"hash": "hkwkfHk4E1W", "uri": "/contracts/hkwkfHk4E1W#security-of", "label": "Data Processor Agreement", "score": 34.0638389587, "published": true}, {"hash": "DpAaWBLV57", "uri": "/contracts/DpAaWBLV57#security-of", "label": "Data Processor Agreement", "score": 33.4614067078, "published": true}], "snippet_links": [{"key": "take-into-account", "type": "definition", "offset": [39, 56]}, {"key": "the-processing", "type": "clause", "offset": [62, 76]}, {"key": "personal-data", "type": "definition", "offset": [129, 142]}, {"key": "article-9", "type": "definition", "offset": [149, 158]}, {"key": "scope-of-the-assignment", "type": "clause", "offset": [183, 206]}, {"key": "confidential-information", "type": "clause", "offset": [208, 232]}, {"key": "social-security-number", "type": "definition", "offset": [240, 262]}, {"key": "bank-account-numbers", "type": "clause", "offset": [272, 292]}, {"key": "special-categories", "type": "definition", "offset": [299, 317]}, {"key": "health-information", "type": "clause", "offset": [357, 375]}, {"key": "sick-leaves", "type": "clause", "offset": [377, 388]}, {"key": "data-processor", "type": "definition", "offset": [401, 415]}, {"key": "obligation-to", "type": "clause", "offset": [454, 467]}, {"key": "technical-and-organisational-security-measures", "type": "clause", "offset": [493, 539]}, {"key": "data-security", "type": "clause", "offset": [596, 609]}, {"key": "been-agreed", "type": "clause", "offset": [721, 732]}, {"key": "the-data-controller", "type": "definition", "offset": [738, 757]}, {"key": "confidental-information", "type": "clause", "offset": [832, 855]}, {"key": "it-department", "type": "definition", "offset": [947, 960]}, {"key": "employees-must", "type": "clause", "offset": [966, 980]}, {"key": "security-awareness-program", "type": "clause", "offset": [1000, 1026]}, {"key": "access-to-systems", "type": "clause", "offset": [1028, 1045]}, {"key": "all-locations", "type": "clause", "offset": [1189, 1202]}, {"key": "high-level", "type": "definition", "offset": [1233, 1243]}, {"key": "physical-access-control", "type": "clause", "offset": [1244, 1267]}], "size": 7, "snippet": "processing The level of security shall take into account that the processing may involve confidential and special catgetories of personal data (ref. Article 9 GDPR), depending of the scope of the assignment. Confidential information may be social security number, salary, bank account numbers, etc. Special categories may include trade union membership and health information (sick leaves, etc.). The data processor shall hereafter be entitled and under obligation to make decisions about the technical and organisational security measures that are to be applied to create the necessary level of data security. The data processor shall however - in any event and at a minimum - implement the following measures that have been agreed with the data controller: All systems require personal logon with password. All systems containing confidental information have muliti factor authentication logon All computers may be remotely locked and erased by IT department. All employees must annualy complete a security awareness program. Access to systems, mail, etc. via phones, pads, etc, have the same security measures as computers. Data is encrypted during transfer. There is access control at all locations, and all data centeres have a high level physical access control C.", "hash": "c20354bb917926baec3c9cccd0895930", "id": 6}, {"samples": [{"hash": "czgTY2KXV0q", "uri": "/contracts/czgTY2KXV0q#security-of", "label": "Data Processing Agreement", "score": 27.188911438, "published": true}, {"hash": "dAMEmSNMjSp", "uri": "/contracts/dAMEmSNMjSp#security-of", "label": "Data Processing Agreement", "score": 27.1683769226, "published": true}, {"hash": "frvUwMEm2pu", "uri": "/contracts/frvUwMEm2pu#security-of", "label": "Data Processing Agreement", "score": 27.1670093536, "published": true}], "snippet_links": [{"key": "data-importer", "type": "clause", "offset": [19, 32]}, {"key": "data-exporter", "type": "definition", "offset": [68, 81]}, {"key": "to-ensure", "type": "clause", "offset": [148, 157]}, {"key": "security-of-the-data", "type": "clause", "offset": [162, 182]}, {"key": "breach-of-security", "type": "definition", "offset": [215, 233]}, {"key": "unauthorised-disclosure", "type": "clause", "offset": [299, 322]}, {"key": "access-to", "type": "definition", "offset": [326, 335]}, {"key": "personal-data-breach", "type": "definition", "offset": [360, 380]}, {"key": "the-parties-shall", "type": "clause", "offset": [432, 449]}, {"key": "state-of-the-art", "type": "clause", "offset": [474, 490]}, {"key": "costs-of", "type": "clause", "offset": [496, 504]}, {"key": "the-nature", "type": "clause", "offset": [521, 531]}, {"key": "risks-involved", "type": "clause", "offset": [585, 599]}, {"key": "the-processing", "type": "clause", "offset": [603, 617]}, {"key": "data-subjects", "type": "definition", "offset": [626, 639]}, {"key": "in-particular", "type": "clause", "offset": [659, 672]}, {"key": "purpose-of-processing", "type": "clause", "offset": [774, 795]}, {"key": "in-case-of", "type": "clause", "offset": [829, 839]}, {"key": "additional-information", "type": "clause", "offset": [862, 884]}, {"key": "the-personal-data", "type": "definition", "offset": [901, 918]}, {"key": "specific-data", "type": "clause", "offset": [924, 937]}, {"key": "control-of-the", "type": "clause", "offset": [996, 1010]}, {"key": "complying-with", "type": "clause", "offset": [1029, 1043]}, {"key": "the-technical", "type": "clause", "offset": [1125, 1138]}], "size": 5, "snippet": "processing\n(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter \u201cpersonal data breach\u201d). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex", "hash": "e12d7a02572e432f12fba5dc92fb8522", "id": 7}, {"samples": [{"hash": "Xx1KmeifY0", "uri": "/contracts/Xx1KmeifY0#security-of", "label": "Processor Eu BCR Membership Agreement", "score": 35.5805931091, "published": true}, {"hash": "ksbrPWtLaOw", "uri": "/contracts/ksbrPWtLaOw#security-of", "label": "Processor Eu BCR Membership Agreement", "score": 34.6403007507, "published": true}], "snippet_links": [{"key": "each-member", "type": "definition", "offset": [45, 56]}, {"key": "from-time-to-time", "type": "clause", "offset": [75, 92]}, {"key": "process-personal-data", "type": "definition", "offset": [100, 121]}, {"key": "on-behalf-of", "type": "definition", "offset": [156, 168]}, {"key": "other-members", "type": "definition", "offset": [188, 201]}, {"key": "compliance-with-the", "type": "clause", "offset": [249, 268]}, {"key": "at-all-times", "type": "definition", "offset": [311, 323]}, {"key": "in-accordance-with", "type": "clause", "offset": [421, 439]}, {"key": "the-gdpr", "type": "definition", "offset": [440, 448]}, {"key": "in-relation-to", "type": "clause", "offset": [536, 550]}, {"key": "relating-to", "type": "definition", "offset": [604, 615]}, {"key": "technical-and-organisational-security-measures", "type": "clause", "offset": [620, 666]}, {"key": "by-the-member", "type": "clause", "offset": [710, 723]}, {"key": "the-article", "type": "definition", "offset": [755, 766]}, {"key": "information-required", "type": "clause", "offset": [793, 813]}, {"key": "the-subject", "type": "clause", "offset": [858, 869]}, {"key": "nature-and-purpose-of-the-processing", "type": "clause", "offset": [888, 924]}, {"key": "type-of-personal-data-and-categories-of-data-subjects", "type": "clause", "offset": [926, 979]}, {"key": "set-out", "type": "definition", "offset": [984, 991]}, {"key": "subject-to-clause", "type": "clause", "offset": [1102, 1119]}, {"key": "the-personal-data", "type": "definition", "offset": [1140, 1157]}, {"key": "instructions-of-the-controller", "type": "clause", "offset": [1181, 1211]}, {"key": "with-regard-to", "type": "clause", "offset": [1230, 1244]}, {"key": "transfers-of-personal-data", "type": "clause", "offset": [1245, 1271]}, {"key": "third-country", "type": "clause", "offset": [1277, 1290]}, {"key": "international-organisation", "type": "clause", "offset": [1294, 1320]}, {"key": "applicable-to", "type": "definition", "offset": [1349, 1362]}, {"key": "the-processor", "type": "clause", "offset": [1363, 1376]}, {"key": "provided-that", "type": "definition", "offset": [1385, 1398]}, {"key": "form-of", "type": "clause", "offset": [1467, 1474]}, {"key": "legal-requirement", "type": "clause", "offset": [1480, 1497]}, {"key": "public-interest", "type": "clause", "offset": [1571, 1586]}, {"key": "obligations-of-confidentiality", "type": "clause", "offset": [1702, 1732]}, {"key": "an-appropriate", "type": "clause", "offset": [1746, 1760]}, {"key": "obligation-of-confidentiality", "type": "clause", "offset": [1771, 1800]}, {"key": "docusign-envelope", "type": "definition", "offset": [1802, 1819]}, {"key": "security-of-processing", "type": "clause", "offset": [1917, 1939]}], "size": 4, "snippet": "processing where acting as a processor\n3.4.1 Each Member acknowledges that from time to time it may process Personal Data as a processor (Processor Member) on behalf of any and all of the other Members (the Controller Member) whether as a result of compliance with the BCRs or otherwise. The Member will ensure at all times that it is clearly documented where responsibility lies for the processing of such Personal Data in accordance with the GDPR.\n3.4.2 Each Member agrees and acknowledges that compliance with the BCRs, particularly in relation to security measures, constitutes sufficient guarantees relating to the technical and organisational security measures governing the processing to be carried out by the Member to satisfy the requirements of the Article 32 of the GDPR.\n3.4.3 The information required by Article 28(3) of the GDPR in relation to the subject-matter, duration, nature and purpose of the processing, type of Personal Data and categories of Data Subjects, is set out in the BCRs.\n3.4.4 Each Processor Member undertakes to the Controller Member that it shall:\n(a) Instructions: subject to Clause 3.4.5, only process the Personal Data:\n(i) on the documented instructions of the Controller Member, including with regard to transfers of Personal Data to a third country or international organisation; or\n(ii) as required by law applicable to the Processor Member, provided that the Processor Member first informs the Controller Member in written form of that legal requirement before processing unless that law prohibits this on important grounds of public interest;\n(b) Staff: ensure the Processor Member staff authorised to process the Personal Data have committed themselves to obligations of confidentiality or are under an appropriate statutory obligation of confidentiality; DocuSign Envelope ID: 85BF9186-F695-42D4-84F2-5A2035C1EA94\n(c) Security: take all measures required by Article 32 (Security of Processing) of the GDPR;", "hash": "73e3e3b4d8e51d333928eaf1eb05240f", "id": 8}, {"samples": [{"hash": "2jKop9gU75L", "uri": "/contracts/2jKop9gU75L#security-of", "label": "Standard Contractual Clauses", "score": 30.037065506, "published": true}], "snippet_links": [{"key": "state-of-the-art", "type": "clause", "offset": [71, 87]}, {"key": "costs-of", "type": "clause", "offset": [93, 101]}, {"key": "the-nature", "type": "clause", "offset": [121, 131]}, {"key": "purposes-of-processing", "type": "clause", "offset": [152, 174]}, {"key": "rights-and-freedoms", "type": "clause", "offset": [238, 257]}, {"key": "natural-persons", "type": "clause", "offset": [261, 276]}, {"key": "data-controller-and-data-processor", "type": "clause", "offset": [282, 316]}, {"key": "measures-to", "type": "clause", "offset": [374, 385]}, {"key": "the-risks", "type": "clause", "offset": [473, 482]}, {"key": "to-mitigate", "type": "definition", "offset": [579, 590]}, {"key": "encryption-of-personal-data", "type": "clause", "offset": [801, 828]}, {"key": "ability-to-ensure", "type": "clause", "offset": [837, 854]}, {"key": "availability-and-resilience-of-processing-systems-and-services", "type": "clause", "offset": [891, 953]}, {"key": "access-to-personal-data", "type": "clause", "offset": [1002, 1025]}, {"key": "in-a-timely-manner", "type": "definition", "offset": [1026, 1044]}, {"key": "in-the-event-of-a", "type": "clause", "offset": [1045, 1062]}, {"key": "technical-incident", "type": "definition", "offset": [1075, 1093]}, {"key": "measures-for-ensuring", "type": "clause", "offset": [1206, 1227]}, {"key": "security-of-the-processing", "type": "clause", "offset": [1232, 1258]}, {"key": "according-to-article", "type": "clause", "offset": [1263, 1283]}, {"key": "provide-the", "type": "clause", "offset": [1548, 1559]}, {"key": "all-information", "type": "clause", "offset": [1580, 1595]}, {"key": "assist-the", "type": "clause", "offset": [1684, 1694]}, {"key": "compliance-with-the", "type": "clause", "offset": [1723, 1742]}, {"key": "pursuant-to-articles", "type": "clause", "offset": [1773, 1793]}, {"key": "inter-alia", "type": "clause", "offset": [1806, 1816]}, {"key": "providing-the", "type": "clause", "offset": [1817, 1830]}, {"key": "the-technical", "type": "clause", "offset": [1875, 1888]}, {"key": "other-information", "type": "definition", "offset": [2002, 2019]}, {"key": "necessary-for", "type": "definition", "offset": [2020, 2033]}, {"key": "comply-with-the", "type": "clause", "offset": [2057, 2072]}, {"key": "under-article", "type": "definition", "offset": [2102, 2115]}, {"key": "assessment-of-the", "type": "clause", "offset": [2150, 2167]}, {"key": "identified-risks", "type": "clause", "offset": [2204, 2220]}, {"key": "further-measures", "type": "clause", "offset": [2229, 2245]}, {"key": "additional-measures", "type": "clause", "offset": [2409, 2428]}], "size": 4, "snippet": "processing\n1. Article 32 GDPR stipulates that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the data controller and data processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The data controller shall evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. Depending on their relevance, the measures may include the following: ASSEMBLY VOTING APS RINGAGER 4C, \u2587.\u2587\u2587 2605 BR\u00d8NDBY TEL: +\u2587\u2587 \u2587\u2587\u2587\u2587\u2587\u2587\u2587\u2587 \u2013 @: \u2587\u2587\u2587\u2587@\u2587\u2587\u2587\u2587.\u2587\u2587 \u2013 CVR: 25600665\na. Pseudonymisation and encryption of personal data;\nb. the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;\nc. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;\nd. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.\n2. According to Article 32 GDPR, the data processor shall also \u2013 independently from the data controller \u2013 evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. To this effect, the data controller shall provide the data processor with all information necessary to identify and evaluate such risks.\n3. Furthermore, the data processor shall assist the data controller in ensuring compliance with the data controller\u2019s obligations pursuant to Articles 32 GDPR, by inter alia providing the data controller with information concerning the technical and organisational measures already implemented by the data processor pursuant to Article 32 GDPR along with all other information necessary for the data controller to comply with the data controller\u2019s obligation under Article 32 GDPR. If subsequently \u2013 in the assessment of the data controller \u2013 mitigation of the identified risks require further measures to be implemented by the data processor, than those already implemented by the data processor pursuant to Article 32 GDPR, the data controller shall specify these additional measures to be implemented in Appendix C.", "hash": "dfd6b13c3f7cba87f33cc18e49e944e2", "id": 9}, {"samples": [{"hash": "1pSkv0erTP", "uri": "/contracts/1pSkv0erTP#security-of", "label": "General Terms of Agreement", "score": 32.6581230164, "published": true}, {"hash": "hTnApKrXZsU", "uri": "/contracts/hTnApKrXZsU#security-of", "label": "General Terms of Agreement", "score": 32.4996757507, "published": true}, {"hash": "bBHoXhW0WwC", "uri": "/contracts/bBHoXhW0WwC#security-of", "label": "General Terms of Agreement", "score": 31.8136177063, "published": true}], "snippet_links": [{"key": "the-service-provider-must", "type": "clause", "offset": [15, 40]}, {"key": "the-personal-data", "type": "definition", "offset": [49, 66]}, {"key": "data-subject", "type": "definition", "offset": [74, 86]}, {"key": "in-particular", "type": "clause", "offset": [88, 101]}, {"key": "unauthorized-access", "type": "definition", "offset": [111, 130]}, {"key": "public-disclosure", "type": "clause", "offset": [144, 161]}, {"key": "the-service-provider-shall", "type": "clause", "offset": [200, 226]}, {"key": "personal-data-processed", "type": "clause", "offset": [239, 262]}, {"key": "access-and-use", "type": "definition", "offset": [376, 390]}, {"key": "in-respect-of", "type": "definition", "offset": [392, 405]}, {"key": "data-security", "type": "clause", "offset": [406, 419]}, {"key": "it-systems", "type": "definition", "offset": [421, 431]}, {"key": "the-persons", "type": "clause", "offset": [489, 500]}, {"key": "the-right-of-access", "type": "definition", "offset": [506, 525]}, {"key": "in-compliance-with", "type": "definition", "offset": [612, 630]}, {"key": "granted-to", "type": "definition", "offset": [735, 745]}, {"key": "rights-of-access", "type": "clause", "offset": [802, 818]}, {"key": "by-the-service-provider", "type": "clause", "offset": [850, 873]}, {"key": "on-a-regular-basis", "type": "definition", "offset": [874, 892]}, {"key": "compliance-with-the-applicable-laws", "type": "clause", "offset": [932, 967]}, {"key": "due-care", "type": "clause", "offset": [988, 996]}, {"key": "information-technology-systems", "type": "clause", "offset": [1062, 1092]}, {"key": "based-on", "type": "definition", "offset": [1093, 1101]}, {"key": "integrated-management-system", "type": "definition", "offset": [1106, 1134]}, {"key": "iso-22301", "type": "definition", "offset": [1158, 1167]}, {"key": "iso-27001", "type": "definition", "offset": [1172, 1181]}, {"key": "high-availability", "type": "definition", "offset": [1210, 1227]}, {"key": "software-solutions", "type": "clause", "offset": [1241, 1259]}, {"key": "the-certificates", "type": "clause", "offset": [1376, 1392]}, {"key": "industrial-standards", "type": "clause", "offset": [1424, 1444]}, {"key": "documents-attached", "type": "clause", "offset": [1522, 1540]}, {"key": "pci-dss-requirements", "type": "clause", "offset": [1614, 1634]}, {"key": "the-system", "type": "definition", "offset": [1638, 1648]}, {"key": "access-to", "type": "definition", "offset": [1690, 1699]}, {"key": "card-data", "type": "clause", "offset": [1738, 1747]}, {"key": "protection-of", "type": "definition", "offset": [1799, 1812]}, {"key": "data-traffic", "type": "definition", "offset": [1884, 1896]}, {"key": "user-interface", "type": "clause", "offset": [1904, 1918]}, {"key": "scope-of-the", "type": "clause", "offset": [1957, 1969]}, {"key": "live-service", "type": "definition", "offset": [1974, 1986]}, {"key": "currently-available", "type": "clause", "offset": [1992, 2011]}, {"key": "data-connection", "type": "definition", "offset": [2099, 2114]}, {"key": "in-relation-to", "type": "clause", "offset": [2245, 2259]}, {"key": "electronic-communication-means", "type": "definition", "offset": [2274, 2304]}, {"key": "the-provision-of-services", "type": "clause", "offset": [2317, 2342]}, {"key": "processed-data", "type": "definition", "offset": [2385, 2399]}, {"key": "available-to", "type": "definition", "offset": [2408, 2420]}, {"key": "authorized-persons", "type": "clause", "offset": [2425, 2443]}, {"key": "and-authentication", "type": "clause", "offset": [2477, 2495]}, {"key": "data-integrity", "type": "definition", "offset": [2586, 2600]}, {"key": "be-protected", "type": "clause", "offset": [2621, 2633]}, {"key": "data-confidentiality", "type": "clause", "offset": [2663, 2683]}, {"key": "the-subscriber-shall", "type": "clause", "offset": [2690, 2710]}, {"key": "best-efforts", "type": "clause", "offset": [2719, 2731]}, {"key": "user-name", "type": "definition", "offset": [2792, 2801]}, {"key": "offered-by", "type": "definition", "offset": [2850, 2860]}, {"key": "performed-by", "type": "clause", "offset": [2943, 2955]}, {"key": "liability-of", "type": "clause", "offset": [3033, 3045]}, {"key": "conduct-of-the", "type": "clause", "offset": [3205, 3219]}, {"key": "the-provisions", "type": "clause", "offset": [3288, 3302]}, {"key": "notify-the", "type": "clause", "offset": [3342, 3352]}, {"key": "supervisory-authority", "type": "definition", "offset": [3353, 3374]}, {"key": "without-delay", "type": "definition", "offset": [3403, 3416]}, {"key": "natural-persons", "type": "clause", "offset": [3574, 3589]}, {"key": "in-case", "type": "clause", "offset": [3591, 3598]}, {"key": "the-processor", "type": "clause", "offset": [3669, 3682]}, {"key": "without-unreasonable-delay", "type": "definition", "offset": [3746, 3772]}, {"key": "keep-records", "type": "clause", "offset": [3805, 3817]}, {"key": "personal-data-breaches", "type": "clause", "offset": [3821, 3843]}, {"key": "relevant-facts", "type": "clause", "offset": [3860, 3874]}, {"key": "actions-taken", "type": "clause", "offset": [3908, 3921]}], "size": 3, "snippet": "processing\n(1) The Service Provider must protect the personal data of the data subject, in particular, against unauthorized access, alteration, public disclosure, erasure, damage, or destruction.\n(2) The Service Provider shall protect the personal data processed by him by taking appropriate organizational and technical (information technology) measures against unauthorized access and use. In respect of data security, IT systems processing various personal data may only be operated by the persons with the right of access. The criterion for the right of access shall be considered to be met if its extent is in compliance with the stipulation that the right of access must be provided on a need-to- know basis, i.e. it may only be granted to persons whose job-related tasks include processing. The rights of access and their use shall be revised by the Service Provider on a regular basis.\n(3) The Service Provider shall act in compliance with the applicable laws and with reasonably due care; accordingly, he shall control, develop, operate, and handle his information technology systems based on the integrated management system in line with standards ISO 22301 and ISO 27001, during which, he shall use high availability hardware and software solutions and he shall regularly revise such properties thereof, and he shall develop, upgrade, or replace them as necessary. The certificates in line with the international industrial standards and the applicable laws obtained by the Service Provider are included in the documents attached as annexes hereto.\n(4) The Service Provider shall satisfy all applicable PCI DSS requirements in the system in which the Service Provider shall have access to or process (store, use, transfer) the card data of his clients, and he shall ensure the continuous protection of such personal data.\n(5) The Service Provider undertakes to protect the data traffic of the User Interface created for the Subscriber within the scope of the VCC Live Service with currently available, state-of-the-art encryption. Accordingly, the Service Provider shall ensure encrypted data connection between the server and the Subscriber and act with reasonably due care while operating the servers.\n(6) Concerning data security, in relation to operating the electronic communication means used during the provision of services, the Service Provider guarantees that the processed data will be available to the authorized persons (availability), the authenticity and authentication of the data will be ensured (authenticity of processing), the data will remain unchanged (data integrity), and the data will be protected against unauthorized access (data confidentiality).\n(7) The Subscriber shall use his best efforts to protect his personal data, including, in particular, the user name and password(s) required for using the services offered by the Service Provider.\na) The Subscriber shall be liable for any event or activity performed by using his user name or password.\nb) The Service Provider shall not undertake liability of any kind for data used in a manner deviating from that specified herein if this or the damage arising from this is attributable to the deliberate or negligent conduct of the Subscriber, or if the Service Provider has acted in compliance with the provisions hereof.\n(8) The Service Provider shall notify the supervisory authority of any personal data breach without delay, but not later than within 72 hours after he has become aware thereof, unless the personal data breach is unlikely to pose risk to the rights and freedom of natural persons. In case the Service Provider processes the personal data of the Subscriber as the processor of the Subscriber, he shall notify the Subscriber as processor without unreasonable delay.\n(9) The Service Provider shall keep records of personal data breaches, indicating the relevant facts, their effects, and the remedial actions taken.", "hash": "43b7e7086fcfa1cf477d977ec702057f", "id": 10}], "next_curs": "ClQSTmoVc35sYXdpbnNpZGVyY29udHJhY3RzcjALEhZDbGF1c2VTbmlwcGV0R3JvdXBfdjU2IhRzZWN1cml0eS1vZiMwMDAwMDAwYQyiAQJlbhgAIAA=", "clause": {"parents": [["miscellaneous", "Miscellaneous"], ["general-terms", "General Terms"], ["preamble", "Preamble"], ["documentation-and-compliance", "Documentation and compliance"], ["parties-to-this-dpa", "Parties to This Dpa"]], "title": "Security of", "children": [["", ""], ["termination", "Termination"], ["sub-processors", "Sub-processors"], ["audit", "Audit"], ["supervision-of-the-movement-of-pupils-in-the", "Supervision of the movement of pupils in the"]], "size": 145, "id": "security-of", "related": [["security-bond", "Security Bond", "Security Bond"], ["security-of-data", "Security of Data", "<strong>Security of</strong> Data"], ["security-of-processing", "Security of processing", "<strong>Security of</strong> processing"], ["security-of-vendor-facilities", "Security of Vendor Facilities", "<strong>Security of</strong> Vendor Facilities"], ["security-plan", "Security Plan", "Security Plan"]], "related_snippets": [], "updated": "2025-07-24T04:27:57+00:00", "also_ask": ["What are the essential elements that must be included in a 'Security of' clause to ensure enforceability?", "How can the scope of the security interest be strategically negotiated to maximize client protection?", "What are the most common legal pitfalls or fatal flaws in drafting 'Security of' clauses?", "How does the treatment of 'Security of' clauses differ across key jurisdictions or under different legal frameworks?", "What are the primary tests courts apply to determine the validity and priority of a 'Security of' clause in disputes?"], "drafting_tip": "Specify security standards, allocate responsibilities, and outline breach procedures to ensure clarity, accountability, and effective incident response.", "explanation": "The 'Security of' clause establishes the obligations and standards for protecting sensitive information, assets, or data within the context of an agreement. It typically outlines the measures that parties must take to safeguard confidential materials, such as implementing physical, technical, or administrative controls, and may specify protocols for reporting breaches or unauthorized access. This clause serves to mitigate the risk of data loss or misuse, ensuring that all parties are clear on their responsibilities to maintain security and comply with relevant laws or industry standards."}, "json": true, "cursor": ""}}