Common use of The Contractor shall Clause in Contracts

The Contractor shall. (a) process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Contract or as otherwise notified by the Authority to the Contractor during the Contract Period); (b) process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services or as is required by Law or any Regulatory Body; (c) implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (d) take reasonable steps to ensure the reliability of any Staff who have access to the Personal Data; (e) obtain prior written consent from the Authority in order to transfer the Personal Data to any sub-contractors or Affiliates for the provision of the Services; (f) ensure that all Contractor’s Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Condition 30.9 (Data Protection); (g) ensure that none of Contractor’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority; (h) notify the Authority within five Working Days) if it receives: (i) a request from a Data Subject to have access to that person's Personal Data; or (ii) a complaint or request relating to the Authority's obligations under the Data Protection Legislation; (i) provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by: (i). providing the Authority with full details of the complaint or request; (ii) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions; (iii) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority); and (iv) providing the Authority with any information requested by the Authority;

The Contractor shall. (a) process 2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Contract or as otherwise notified by the Authority to the Contractor during the Contract PeriodTerm);; Z9. (b) process 2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services or as is required by Law or any Regulatory Body;; Z9. (c) implement 2.3 Implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;; Z9. (d) 2.4 take reasonable steps to ensure the reliability of any Staff who have access to the Personal Data;; Z9. (e) 2.5 obtain prior written consent from the Authority in order to transfer the Personal Data to any sub-sub- contractors or Affiliates for the provision of the Services;; Z9. (f) 2.6 ensure that all Contractor’s Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Condition 30.9 (Data Protection);clause; Z9. (g) 2.7 ensure that none of Contractor’s Staff personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;; Z9. (h) 2.8 notify the Authority (within five [five] Working Days) if it receives: (i) : i. a request from a Data Subject to have access to that person's Personal Data; or (or ii) . a complaint or request relating to the Authority's obligations under the Data Protection Legislation;; Z9. (i) 2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by: (i). i. providing the Authority with full details of the complaint or request; (; ii) . complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions; (; iii) . providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority); and (iv) providing the Authority with any information requested by the Authority;

The Contractor shall. (a) process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Contract or as otherwise notified by the Authority to the Contractor during the Contract Period); (b) process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services or as is required by Law or any Regulatory Body; (c) implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (d) take reasonable steps to ensure the reliability of any Staff who have access to the Personal Data; (e) obtain prior written consent from the Authority in order to transfer the Personal Data to any sub-contractors or Affiliates for the provision of the Services; (f) ensure that all Contractor’s Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Condition 30.9 (Data Protection)29; (g) ensure that none of Contractor’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority; (h) notify the Authority (within five Working Days) if it receives: (i) i. a request from a Data Subject to have access to that person's Personal Data; or (ii) . a complaint or request relating to the Authority's obligations under the Data Protection Legislation; (i) provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by: (i). : i. providing the Authority with full details of the complaint or request; (ii) . complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions; (iii) . providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority); and (iv) . providing the Authority with any information requested by the Authority; (j) permit the Authority or the Authority’s Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with Condition 28 (Right of Audit), the Contractor's data Processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Contractor is in full compliance with its obligations under this Contract; (k) provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and (l) not Process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: i. the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and ii. any reasonable instructions notified to it by the Authority.

The Contractor shall. (a) process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Contract or as otherwise notified by the Authority to the Contractor during the Contract Period); (b) process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services or as is required by Law or any Regulatory Body; (c) implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (d) take reasonable steps to ensure the reliability of any Staff who have access to the Personal Data; (e) obtain prior written consent from the Authority in order to transfer the Personal Data to any sub-contractors or Affiliates for the provision of the Services; (f) ensure that all Contractor’s Contractor‟s Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Condition 30.9 (Data Protection)35.9; (g) ensure that none of Contractor’s Contractor‟s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority; (h) notify the Authority (within five [five] Working Days) if it receives: (i) i. a request from a Data Subject to have access to that person's Personal Data; or (ii) . a complaint or request relating to the Authority's obligations under the Data Protection Legislation; (i) provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by: (i). : i. providing the Authority with full details of the complaint or request; (ii) . complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions; (iii) . providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority); and (iv) . providing the Authority with any information requested by the Authority; (j) permit the Authority or the Authority‟s Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with Condition 34 (Right of Audit), the Contractor's data Processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Contractor is in full compliance with its obligations under this Contract; (k) provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and (l) not Process Personal Data outside the European Economic Area or United States without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: i. the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and ii. any reasonable instructions notified to it by the Authority.