Common use of Supplier Obligations Clause in Contracts

Supplier Obligations. Supplier will (and will procure that any Authorized Sub-Processor will): a) Process Personal Data only on documented instructions from UL Solutions, including the Agreement. Supplier will immediately inform the controller if, in its opinion, an instruction infringes the Data Protection Legislation or other data protection provisions; b) will Process Personal Data only to the extent required to provide the Services; c) not Process Personal Data for any purpose other than for the business purposes specified in Agreement or otherwise retain, use or disclose Personal Data outside of the direct business relationship between UL Solutions and Supplier. d) not permit any Processing of Personal Data of (i) subject to European Data Protection laws outside the European Economic Area, Switzerland and/or the United Kingdom, or (ii) Chinese residents outside the PRC, in each case, without UL Solutions prior written consent which may be subject to conditions at UL Solutions’ discretion (unless Supplier or Authorized Sub-Processors are required to transfer the Personal Data, to comply with applicable laws and such laws prohibit notice to UL Solutions on public interest grounds); e) ensure that any person authorized to process the Personal Data: (a) have committed themselves to appropriate contractual confidentiality obligations or are under an appropriate statutory obligation of confidentiality; (b) Processes the Personal Data solely on behalf and in accordance with the instructions from UL Solutions; and (c) are appropriately reliable, qualified, and trained in relation to their Processing of Personal Data; f) implement (and assist UL Solutions to implement) technical and organizational measures to ensure a level of security appropriate to the risk presented by Processing the Personal Data, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed, and comply with the UL Solutions Supplier Minimum Security Requirements set forth in Exhibit A to the Agreement; g) in the event that Supplier becomes aware of any actual or suspected (i) breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data (ii) unauthorized access, acquisition, disclosure, or use of Personal Data, or (iii) any breach of security with respect to Supplier’s (including its subcontractors’) systems that store or process Personal Data (in each case, a “Security Incident”), Supplier must (x) provide written notice of the Security Incident to UL Solutions within twenty-four (24) hours; (y) perform an investigation to learn the cause of such Security Incident; and (z) take all steps necessary to remedy the event and prevent reoccurrence. Supplier must cooperate with UL Solutions in the investigation and remediation efforts following a Security Incident and grant UL Solutions access to relevant systems and logs related to said Security Incident; h) provide reasonable assistance to UL Solutions in: (a) responding to requests for exercising the rights of Data Subjects under applicable Data Protection Legislation, including by deleting Personal Data, correcting Personal Data, disclosing the specific pieces of Personal Data Processed by the Supplier, insofar as this is possible; (b) reporting any Security Incident to any supervisory authority or Data Subjects and documenting any Security Incidents; (c) taking measure to address Security Incidents, including, where appropriate, measures to mitigate its possible adverse effects; (d) conducting privacy and data protection impact assessments (and personal information protection impact assessment, if applicable) of any Processing operations and in consulting with any applicable supervisory authority or appropriate persons accordingly and (e) undertaking any other activities which may be necessary or requested by UL Solutions for compliance with the Data Protection Legislation; and i) securely delete or return all Personal Data to UL Solutions (at the choice of UL Solutions) after the end of the provision of services relating to processing in accordance with the Agreement.

Supplier Obligations. When Processing Personal Information in connection with the Agreement, Supplier will shall: comply with all applicable Data Protection Law (as defined below) and will procure that any Authorized Sub-Processor will): a) Supplier’s obligations under this DSA, and in the event Supplier cannot meet these obligations, Supplier shall notify Company immediately and take all reasonable and appropriate actions Company deems necessary to remedy the noncompliance. only Process Personal Data only Information on documented instructions from UL Solutions, including as specified in this DSA and the Agreement. , except where: Supplier will immediately inform has obtained the controller ifdata subject’s prior consent; it is necessary for the establishment, exercise, or defense of legal claims in the context of specific administrative, regulatory, or judicial proceedings; it is necessary to protect the vital interests of the data subject or of another natural person; or it is required otherwise by applicable law, in which case, Supplier shall inform Company of that legal requirement, unless prohibited by applicable law and shall use its opinion, an instruction infringes best efforts to limit the Data Protection Legislation or other data protection provisions; b) will Process Personal Data nature and scope of any required disclosure and shall only to disclose the extent required to provide the Services; c) not Process Personal Data for any purpose other than for the business purposes specified in Agreement or otherwise retain, use or disclose Personal Data outside of the direct business relationship between UL Solutions and Supplier. d) not permit any Processing minimum amount of Personal Data of (i) subject to European Data Protection laws outside the European Economic Area, Switzerland and/or the United Kingdom, or (ii) Chinese residents outside the PRC, in each case, without UL Solutions prior written consent which may be subject to conditions at UL Solutions’ discretion (unless Supplier or Authorized Sub-Processors are required to transfer the Personal Data, Information necessary to comply with applicable laws and such laws prohibit notice law. . not disclose or transfer Personal Information to UL Solutions on public interest grounds); e) ensure any third party without that any person authorized to process the Personal Data: (a) have committed themselves to appropriate contractual confidentiality obligations or are under an appropriate statutory obligation of confidentiality; (b) Processes the Personal Data solely on behalf and in accordance third party entering into a written agreement with the instructions from UL Solutions; and (c) are appropriately reliable, qualified, and trained in relation to their Processing terms at least as protective of Personal Data; f) Information as the obligations set out in this DSA and the Agreement. not sell, share, retain, use, or disclose Personal Information other than as specified in the Agreement or as otherwise authorized under this DSA. be fully liable for all acts or omissions of its employees, affiliates, agents, subcontractors and other representatives. implement (and assist UL Solutions to implement) maintain reasonable and appropriate written information security and privacy programs, which programs shall incorporate physical, technical and organizational measures that are commensurate with the nature of Personal Information Processed in connection with the Agreement, that meet or exceed good industry practices (or such higher standard as may be required in Appendix 1) and that reasonably protect against a Personal Data Breach, including training of all personnel responsible for Processing Personal Information in a manner sufficient to meet the requirements of this DSA, such measures described in Appendix 1 and to the extent not otherwise addressed in Appendix 1 and as appropriate: the pseudonymisation and encryption of Personal Information; the ability to ensure a level the ongoing confidentiality, integrity, availability and resilience of security appropriate Processing systems and services; the ability to restore the risk presented by Processing the Personal Data, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or availability and access to Personal Data transmitted, stored, or otherwise processed, and comply with the UL Solutions Supplier Minimum Security Requirements set forth Information in Exhibit A to the Agreement; g) a timely manner in the event that Supplier becomes aware of any a physical or technical incident; a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing; and the ability to confirm within 72 hours of detection whether an event constitutes a Personal Data Breach. in the event of an actual or reasonably suspected (i) breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data (ii) unauthorized access, acquisition, disclosure, or use Breach of Personal Data, Information within the custody or control of Supplier or resulting from the acts or omissions of Supplier (iii) any breach of security with respect to Supplier’s (including its subcontractors’) systems that store or process a “Supplier Personal Data (in each case, a “Security IncidentBreach”), Supplier must shall: notify Company without undue delay (x) provide written notice and in any event within 24 hours of the Security Incident becoming aware of a Supplier Personal Data Breach); undertake an appropriate investigation and all remediation efforts necessary to UL Solutions within twenty-four (24) hours; (y) perform an investigation to learn the cause rectify and prevent a recurrence of such Security IncidentSupplier Personal Data Breach in a manner satisfactory to Company; promptly provide Company with all information Company deems necessary to enable Company to comply with Data Protection Law, including with respect to record keeping and reporting, and all other information Company may reasonably request regarding a Supplier Personal Data Breach; provide notification to all Data Subjects whose Personal Information may have been affected, with content required under Data Protection Law; and bear sole responsibility for the costs and expenses of either Party for any such notification to Data Subjects, whether the notice was given by Supplier or Company. promptly notify Company without undue delay and in any event within 24 hours of: any complaint, inquiry, request or concern by a competent data protection or other regulatory authority relating to Personal Information connected to the Agreement; and any complaint, inquiry, request, or concern by a Data Subject relating to the Personal Information connected to the Agreement, including any request to exercise rights under Data Protection Law or Company’s or Supplier’s privacy policy, such as to access (z) take including requesting information on any processing of their Personal Information), rectify, amend, correct, share, delete or cease Processing his or her Personal Information. comply with all steps reasonable and appropriate measures requested by Company necessary for Supplier and Company to comply with their respective obligations under Data Protection Law and this DSA. retain Personal Information no longer than necessary to remedy accomplish the event Data Sharing Purpose, unless required otherwise by applicable law. maintain the accuracy and prevent reoccurrenceintegrity of Personal Information shared by Company, consistent with the form in which Supplier received such Personal Information. maintain all records necessary to be able to demonstrate that Personal Information was only Processed in accordance with applicable notices, consents, authorizations, and rights and as permitted under this DSA and for each of Company and Supplier must cooperate to comply with UL Solutions in Data Protection Law. to the investigation and remediation efforts following a Security Incident and grant UL Solutions access extent Supplier is to relevant systems and logs related to said Security Incident; h) provide reasonable assistance to UL Solutions in: (a) responding to requests for exercising the rights of Process Personal Information regarding Data Subjects under applicable of any country or region with restrictions on the cross-border transfer of Personal Information, Supplier shall only do so in compliance Data Protection LegislationLaw, including by deleting Personal Data, correcting Personal Data, disclosing which may include entering the specific pieces Standard Contractual Clauses or similar mechanisms intended to protect transfers of Personal Data Processed by the Supplier, insofar as this is possible; (b) reporting any Security Incident to any supervisory authority Information. Except for changes made consistent with meeting a higher industry standard or Data Subjects Protection Law, Supplier shall maintain in effect and documenting any Security Incidents; (c) taking measure to address Security Incidents, including, where appropriate, measures to mitigate its possible adverse effects; (d) conducting consistently apply Supplier’s privacy and data protection impact assessments (and personal information protection impact assessment, if applicable) of any Processing operations and security practices disclosed to Company in consulting connection with any applicable supervisory authority or appropriate persons accordingly and (e) undertaking any other activities which may be necessary or requested by UL Solutions for compliance with the Data Protection Legislation; and i) securely delete or return all Personal Data to UL Solutions (at the choice of UL Solutions) after the end of the provision of services relating to processing due diligence Company most recently conducted on those practices in accordance connection with the Agreement; provided that Supplier may not reduce the standards in those practices by subsequently disclosing privacy and data security practices that would be a degradation of the previously disclosed practices. Supplier represents and warrants that all responses provided by Supplier in any such due diligence are true, accurate, and complete when made, and that an authorized representative of Supplier completed such due diligence. Supplier shall promptly notify Company of all material changes to Supplier’s privacy and data security practices. if required by Data Protection Law, appoint a person in charge of the protection of Personal Information and inform Company of the person’s name, phone number. Supplier acknowledges and agrees that its execution of this DSA constitutes its certification that it understands the restrictions set forth in this DSA and will comply with them.

Supplier Obligations. Supplier will (and will procure that any Authorized Sub-Processor will): a) Process Personal Data only on documented instructions from UL SolutionsTo use the same degree of care, including the Agreement. Supplier will immediately inform the controller ifbut never less than a reasonable degree of care, in its opinionto prevent unauthorized use, an instruction infringes the Data Protection Legislation dissemination or other data protection provisions; b) will Process Personal Data only to the extent required to provide the Services; c) not Process Personal Data for any purpose other than for the business purposes specified in Agreement or otherwise retain, use or disclose Personal Data outside publication of the direct business relationship between UL Solutions and Supplier. d) not permit any Processing of Personal Data of (i) subject to European Data Protection laws outside the European Economic Area, Switzerland and/or the United Kingdom, or (ii) Chinese residents outside the PRC, in each case, without UL Solutions prior written consent which may be subject to conditions at UL Solutions’ discretion (unless Supplier or Authorized Sub-Processors are required to transfer the Personal Data, as it uses to comply with protect its own information of similar nature, and will implement any technical and organizational measures to protect Personal Data which are required by the applicable laws law. b) To implement appropriate technical and such laws prohibit notice organizational measures to UL Solutions on public interest grounds);protect Personal Data against (i) accidental or unlawful destruction or loss, (ii) unauthorized disclosure or access, in particular where processing involves the transmission of Personal Data over a network, (iii) alteration, and (iv) all other unlawful forms of processing. ec) To implement appropriate procedures to ensure that any person authorized (i) unauthorized persons will not have access to the data processing equipment used to process the Personal Data: , (aii) any persons it authorizes to have committed themselves access to appropriate contractual confidentiality obligations or are under an appropriate statutory obligation of confidentiality; (b) Processes the Personal Data solely on behalf will respect and maintain the confidentiality and security of the Personal Data, and (iii) the measures and procedures that it uses will be sufficient to comply with all applicable legal requirements. d) In connection with protecting, collecting, storing, transferring and otherwise processing of Personal Data, Supplier agrees to act only in accordance with the requirements of This Agreement or instructions from UL Solutions; and provided by HP either upon Supplier’s request or HP’s election. e) Not to copy or reproduce any Personal Data without the express written permission of HP, except as technically necessary to comply with this Agreement (c) are appropriately reliablee.g., qualified, and trained in relation to their Processing duplication of Personal Data;data stocks as backup protection against loss of data). f) implement (To immediately notify the HP Program Manager by telephone and assist UL Solutions to implement) technical and organizational measures to ensure a level follow up in writing if it becomes aware of security appropriate to the risk presented by Processing the Personal Dataany actual, in particular from accidental suspected or unlawful destructionalleged unauthorized use of, loss, alteration, unauthorized disclosure of, or access to Personal Data transmittedby itself or others, storedincluding notification of loss or suspected loss of data whether or not such data has been encrypted. Supplier will cooperate with HP in the manner reasonably requested by HP and in accordance with law, including but not limited to: conducting the investigation; cooperating with authorities; notifying at Supplier’s sole expense affected persons, credit bureaus, other persons or otherwise processed, entities deemed appropriate by HP; and comply with the UL Solutions issuing press releases. Such cooperation will include without limitation: (i) HP access to Supplier Minimum Security Requirements set forth in Exhibit A records and facilities; (ii) Supplier provision of all relevant data and reports to the Agreement;HP; and (iii) prior advance approval by HP of any notifications to impacted individuals or press releases. g) To inform HP promptly in writing if Supplier is of the event opinion that Supplier becomes aware of any actual or suspected (iinstruction from HP violates the applicable personal data protection regulations. h) breach of security leading to the accidental or unlawful destructionWhen collecting, lossusing, alterationstoring, unauthorized disclosure of, or access to, Personal Data (ii) unauthorized access, acquisition, disclosure, or use of transferring and otherwise processing Personal Data, or (iii) any breach of security with respect Supplier shall adhere to Supplier’s (including its subcontractors’) systems that store or process Personal Data (in each case, a “Security Incident”), Supplier must (x) provide written notice of the Security Incident to UL Solutions within twenty-four (24) hours; (y) perform an investigation to learn the cause of such Security Incident; and (z) take all steps necessary to remedy the event and prevent reoccurrence. Supplier must cooperate with UL Solutions in the investigation and remediation efforts following a Security Incident and grant UL Solutions access to relevant systems and logs related to said Security Incident; h) provide reasonable assistance to UL Solutions in: (a) responding to requests for exercising the rights of Data Subjects under applicable Data Protection Legislation, including by deleting Personal Data, correcting Personal Data, disclosing the specific pieces of Personal Data Processed by the Supplier, insofar as this is possible; (b) reporting any Security Incident to any supervisory authority or Data Subjects and documenting any Security Incidents; (c) taking measure to address Security Incidents, including, where appropriate, measures to mitigate its possible adverse effects; (d) conducting privacy and data protection impact assessments (export and personal information protection impact assessmentdata laws, if applicable) of any Processing operations regulations and in consulting with any applicable supervisory authority or appropriate persons accordingly and (e) undertaking any other activities which may be necessary or requested by UL Solutions for compliance with the Data Protection Legislation; andrules. i) securely delete or return all Supplier will handle any Personal Data to UL Solutions (at the choice of UL Solutions) after the end of the provision of services relating to processing in accordance a manner consistent with the Agreement.then current HP Privacy Policy available at xxx.xx.xxx/xxxxxx/xxxxxxxxxxxxxxxxx/xxxxxxx/xxxxxxxxxxxx.xxxx